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An  Assertional  Characterization  of  Serializability  and  Locking 


Ernest  Robert  McCurley,  Ph.D. 
Cornell  University  1988 


The  problem  of  synchronizing  transactions  in  a  database  system  so  that  concurrent 
execution  transforms  the  system  from  one  consistent  state  to  another  is  called  the  Con¬ 
currency  Control  Problem.  Over  the  past  20  years,  a  property  of  concurrent  execution 
called  serializability  has  evolved  as  a  universad  paradigm  for  solving  the  Concurrency 
Control  Problem.  Up  until  now,  most  work  on  serializability  has  been  characterized 
by  an  emphasis  on  sequences  of  operations.  Researchers  studying  programming  logics 
and  methodologies  have  developed  a  different  approach  to  characterizing  the  semantics 
of  concurrent  programs.  This  approach  is  called  assertional  reasoning,  and  emphasizes 
the  system  state  instead  of  sequences  of  operations.  This  dissertation  describes  the  ex¬ 
tension  of  the  formalisms  and  tools  of  assertional  reasoning  to  the  Concurrency  Control 
Problem. 

Proposed  is  a  definition  of  serializability  that  generalizes  previous  definitions  in 
many  respects.  Two  methods  are  described  by  which  this  definition  of  serializability 
can  be  specified  in  an  assertional  programming  logic  using  formulas  called  proof  out¬ 
lines.  As  a  consequence  of  specifying  serializability  with  proof  outlines,  it  becomes 

I 

I 

( 

t 

t 

) 


possible  to  formally  verify  serializability.  The  use  of  an  assertional  programming  logic 
eUminates  the  need  to  explicitly  consider  transaction  interleavings,  simplifying  verifica¬ 
tion.  Another  consequence  of  specifying  serializability  with  proof  outlines  is  the  ability 
to  derive  synchronization  protocols  for  serializability.  This  possibility  is  realized  in  the 
form  of  a  method  for  deriving  locking  protocols  from  assertional  specifications.  The 
method  is  based  on  a  novel  view  of  locking,  in  which  locks  held  by  transactions  reflect 
properties  of  the  system  state.  Using  this  method,  semantic  information  available  dur¬ 
ing  the  derivation  process  can  be  used  to  obtain  locking  protocols  permitting  greater 
concurrency  among  transactions  than  locking  protocols  obtained  by  more  traditional 
methods.  Examples  are  given  throughout  the  dissertation  to  illustrate  the  methods 


described. 
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Chapter  1 


Introduction 


Many  computer  applications  involve  information  that  must  be  stored,  retrieved,  and 
modified.  For  example,  a  bank  must  maintain  customer  account  balances  and  update 
them  as  deposits  and  withdrawals  are  made;  a  university  must  record  information 
about  course  offerings  and  student  grades. 

Database  systems  are  computer  systems  that  store  and  maintain  large  amounts  of 
information.  Information  in  a  database  system  is  typically  stored  on  magnetic  disk 
storage  devices  rather  than  in  primary  memory  because  of  their  high  capacity  for 
data  storage  and  relative  involatility.  It  is  accessed  through  one  or  more  processors 
Connected  to  these  storage  devices. 

Information  stored  in  a  database  can  be  viewed  Jis  modeling  some  aspect  of  the 
application  it  supports.  For  example,  a  banking  database  system  might  store  a  list  of 
numeric  vedues  to  model  balances  of  customer  accounts.  As  events,  such  as  deposits 
and  withdrawals,  transform  the  application  state,  the  database  state  is  transformed 
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accordingly  by  running  programs  called  transactions. 

The  correspondence  between  an  application  and  a  database  system  imposes  certain 
restrictions  on  the  database  system  state.  A  bank  might  require  account  balances  to 
be  non-negative,  which  restricts  the  stored  values  that  model  these  balances  to  be 
non-negative.  Restrictions  imposed  by  an  application  on  the  database  system  state 
are  cedled  consistency  constraints.  A  consistency  constraint  can  be  thought  of  as  a 
predicate  on  the  database  system,  although  in  practice  such  predicates  are  often  too 
complex  to  be  written  explicitly.  States  that  satisfy  the  consistency  constraint  are 
called  consistent  states. 

Database  systems  are  started  in  a  consistent  state  and  transactions  are  constructed 
so  that  they  model  the  events  to  which  they  correspond,  thereby  guaranteeing  that 
each  transaction  individually  will  transform  the  system  from  one  consistent  state  to 
another.  A  serial  execution  of  transactions  is  one  in  which  transactions  are  executed 
one  at  a  time,  starting  one  only  after  the  preceding  one  competes.  By  a  simple  inductive 
argument  on  the  number  of  transactions,  any  serial  execution  will  transform  the  system 
from  one  consistent  state  to  another. 

Concurrent  execution  of  transactions,  in  which  one  or  more  transactions  are  started 

before  previous  ones  complete,  has  an  advantage  over  over  serial  execution.  In  some 
; 

systems,  a  large  portion  of  transaction  execution  time  is  spent  waiting  for  responses 
from  relatively  slow  I/O  devices  (such  as  a  user  terminals  or  storage  devices).  By 
running  transactions  concurrently,  the  time  that  one  transaction  spends  waiting  can  be 
used  to  run  operations  from  another  transaction  that  is  not  waiting,  thereby  increasing 
the  rate  at  which  transactions  are  processed. 
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Unfortunately,  without  synchronization,  concurrently  executed  transactions  can  in¬ 
terleave  in  ways  that  leave  the  database  in  an  inconsistent  state.  The  problem  of  syn¬ 
chronizing  transactions  so  that  concurrent  execution  transforms  the  system  from  one 
consistent  state  to  another  is  called  the  Concurrency  Control  Problem.  Over  the  past 
20  years,  a  property  of  concurrent  execution  called  serializability  has  evolved  as  the 
basis  for  solving  the  Concurrency  Control  Problem.  Until  now,  however,  most  work  on 
serializability  h€is  been  characterized  by  an  emphetsis  on  sequences  of  operations.  The 
deRnition  of  serial  execution  of  transactions  is  an  example  of  this  style  of  characteriza¬ 
tion.  The  view  that  locking  protocols  exclude  operations  from  executing  concurrently 
is  another  example. 

A  different  approach  to  analyzing  the  semantics  of  both  sequential  and  concurrent 
programs  has  been  developed  by  researchers  studying  programming  logics  and  method¬ 
ology.  The  approach  is  called  assertional  reasoning  and  emphasizes  system  states  rather 
than  operation  sequences.  This  thesis  describes  the  application  of  eissertional  reason¬ 
ing  to  database  systems.  We  give  an  assertional  characterization  of  serializability;  it 
generalizes  previous  deRnitions  of  serializability.  Our  approach  to  deRning  serializabil¬ 
ity  not  only  allows  the  correctness  of  synchronization  protocols  for  serializability  to  be 
proven  formally,  but  also  allows  semantics  of  an  application  to  be  incorporated  into  the 

i 

derivation  of  synchronization  protocols  that  allow  a  high  degree  of  concurrency  among 
transactions.  We  illustrate  this  beneRt  by  giving  an  assertional  characterization  of 
locking  and  a  method  for  deriving  locking  protocols  from  speciRcations. 


1.1  Consistency  and  Concurrency 


A  simple  example  illustrates  the  Concurrency  Control  Problem.  Consider  a  database 
system  that  models  bank  accounts  numbered  from  0  to  N .  The  database  stores  account 
balances  as  values  in  an  array  a[0.--V|,  with  a|j;  holding  the  balance  of  account  number 
i.  Another  variable  ba  holds  the  value  of  bank  assets.  As  is  typical  of  database  systems, 
these  values  are  stored  on  magnetic  disk. 

Disk  drives  typically  provide  two  types  of  operations  for  accessing  values:  read  and 
write.  Let  r(2:,<)  denote  a  read  operation  that  copies  the  value  of  x  (stored  on  disk) 
into  a  computer  memory  location  denoted  1;  let  w{x,e)  denote  a  write  operation  that 
evaluates  expression  e  involving  values  in  computer  memory  and  copies  the  resulting 
value  back  to  x  on  disk. 

The  requirement  that  bank  assets  match  the  amount  deposited  in  accounts  induces 

a  consistency  constraint  ba  =  V  a[i),  specifying  that  ba  equals  the  sum  of  values  in 

0<t<N 

a(0..  Af].  As  customers  make  deposits  and  transfer  funds  within  accounts,  transactions 
must  be  run  to  update  the  values  in  tt[0..1Vj  and  ba  while  leaving  the  system  in  a 
consistent  state. 

Using  read  and  write  operations,  the  transaction  DEP{a[i\,x)  of  Figure  1.1  incre- 
Mients  a[i]  and  ba  to  reflect  a  deposit  of  amount  x  to  that  account.  The  transaction 
reads  the  badance  of  a[i]  into  memory  and  writes  the  updated  balance  back,  sub¬ 
sequently  updating  ba  in  the  same  way  to  ensure  that  the  consistency  constraint  will 
hold  afterwards.  In  a  similar  manner,  transaction  /jVT(a[;],y)  of  Figure  1.1  increments 
a[j\  and  ba  by  y*a[7],  reflecting  the  accumulation  of  interest  at  rate  y  by  account  j. 


DEP{a[t\,x):  r(a(ij,/0); 

u;(a[ij,<0  +  *); 
r(4a,n); 
w(ba,tl  +  z) 


w(a  j\,t2  +  y  *  <2); 
r(ba,t‘i)\ 
w{ba,t3  +  y  »  t2) 


Figure  l.l;  Deposit  and  Interest  Transactions. 

Suppose  that  a  deposit  of  d  to  account  s  is  made  at  about  the  same  time  interest 
at  rate  r  is  begin  credited  to  that  account.  If  DEP{a{s\,d)  and  /jVr(a[sj,r)  run 
concurrently  and  without  synchronization,  transaction  operations  can  interleave  in  the 
following  order; 

<t0:  r(a(3|,<0); 

r(a[j],l2); 
iu(a(3|,t0  +  d)i 
u;(a(3|,(2'f  r*t2); 
r(6a,n); 
w{ba,l  1  +  d); 
r(6a,/3); 

w{ba,t3  -I-  r  ♦  t2). 

A  sequence  of  transaction  operations  like  <t0  that  denotes  an  interleaving  resulting  from 
concurrent  execution  is  called  a  schedule.  The  use  of  the  statement  composition  oper¬ 
ator  between  operations  allows  the  schedule  to  be  viewed  as  a  sequential  program 
having  the  same  effect  as  the  particular  concurrent  execution  it  is  modeUng.  When  con¬ 
current  execution  produces  schedule  <r0,  the  update  u;(a[3j,t0 d)  by  DEP{a[s\,d)  is 
overwritten  by  /jVT(a[3l,r),  effectively  losing  the  deposit  into  a|3|.  As  a  consequence, 
<r0  will  leave  ba  —  d  ^  ajil,  an  inconsistent  state. 

0  <  I  <  iV 
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1.2  Serializable  Schedules 
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As  crO  illustrates,  not  all  schedules  in  which  transactions  interleave  transform  a  database 
system  from  a  consistent  to  an  inconsistent  state.  One  type  of  schedule  that  preserves 
consistency  is  a  serializable  schedule.  A  serializable  schedule  is  one  that  “behaves 
like”  some  serial  schedule — a  schedule  that  denotes  a  serial  execution  of  transactions.* 
Since  serial  execution  of  transactions  transforms  a  database  from  one  consistent  state 
to  another,  execution  resulting  in  a  serializable  schedule  will  do  so  as  well. 

An  example  of  a  serializable  schedule  of  DEP(a\s\,d)  and  INT(a[s\,r)  is 

<t1:  r(a[jJ,/0); 

tt)(a[il,<0  +  d); 
r(a[j|,t2); 
u)(a(j|,/2  +  r*<2); 
r(6a,n); 
w{ba,tl  +d); 
riba, 13)] 
w{  ba,t3  +  r  *  12). 

For  any  given  initial  values  of  a(0..fV|  and  ba,  crl  leaves  the  same  final  values  as  the 
serial  schedule 

j  'We  describe  more  formally  what  it  means  for  one  schedule  to  “behave  like”  another  in  Section  1.3.4. 


i 


cr2:  r(a|j],/0); 

tw(a[j),<0  +  d)-, 
r(ia,n); 
w{ba,tl  +  d); 
r(o[j],<2); 
u;(a[3],<2  +  r  *  <2); 
r(6a,<3); 
tu(6a,<3+  r  » t2). 

The  consistency- preserving  properties  of  serializable  schedules  imply  that  the  Concur¬ 
rency  Control  Problem  can  be  solved  by  synchronizing  transactions  to  ensure  that 
every  schedule  is  serializable. 

1.3  Related  Work 

A  great  deal  of  research  has  been  published  about  serializability.  Several  different 
database  models  have  been  considered  and  several  different  definitions  of  serializability 
have  been  proposed. 

1.3.1  Operation  Types 

One  way  in  which  database  system  models  differ  is  in  the  types  of  operations  that 
<an  be  used  to  construct  transactions.  Many  models  [BBGLS83,BCI83,BG81  ,BSW79, 
GW82,G83,G78,P79,R83,SLR76,TS85,Y84)  assume  that  transactions  are  constructed 
from  read  and  write  operations  as  the  ones  described  in  Section  1.1  were.  This  reflects 
the  use  of  storage  devices,  such  as  disks,  that  implement  these  operations  in  hardware. 
More  recently,  models  have  been  devised  for  systems  that  support  operations  other  than 
read  and  write.  For  example,  a  model  with  operations  that  traverse  and  manipulate 
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search  structures  is  considered  in  [CS85|  and  one  with  operations  on  abstract  data 
types  such  as  queues  and  sets  is  considered  in  !SS84]  and  1W841.  The  model  of  [K83! 
does  not  place  any  restrictions  at  all  on  the  operations  from  which  transactions  are 
constructed.  Although  system  models  with  a  greater  variety  of  operations  tend  to  make 
analysis  of  concurrent  execution  more  complicated  than  in  read-write  models,  they  do 
make  it  possible  to  describe  more  accurately  the  semantics  of  concurrent  execution. 

Many  models  also  make  assumptions  about  the  way  operations  are  ordered  within 
transactions.  In  [P79]  and  [BSW79],  for  example,  transactions  consist  of  a  single  read 
operation  followed  by  a  single  write  operation,  each  of  which  accesses  several  variables 
at  the  same  time.  In  [Y84],  transactions  can  contain  several  read  and  write  operations 
but  the  operations  are  assumed  to  be  ordered  so  that  no  transaction  writes  to  the 
same  variable  twice  or  reads  a  variable  it  has  previously  written.  Such  restrictions  on 
transaction  structure  simplify  analysis. 

In  addition  to  assumptions  about  organization,  different  models  make  different  as¬ 
sumptions  about  the  degree  to  which  semantics  of  individual  operation  are  known.  In 
1P79|,  only  the  set  of  variables  accessed  by  a  write  operation  is  considered  when  ana¬ 
lyzing  its  behavior;  the  function  used  to  compute  the  value  it  stores  is  left  unspecified. 
The  same  is  true  in  [Y84|.  In  contrast,  the  models  of  [SS84]  and  [W84]  specify  not  only 
the  variables  that  operations  access,  but  also  details  of  how  these  operations  transform 
these  variables  from  one  state  to  another.  As  with  restrictions  on  operation  type  and 
order,  weaker  assumptions  about  operation  semantics  simplify  analysis  of  concurrent 
execution.  However,  models  that  make  stronger  assumptions  about  semantic  infor¬ 
mation  allow  use  of  this  information  when  deriving  synchronization  for  serializability. 


usually  allowing  more  concurrency  than  models  that  make  weaker  assumptions. 

1.3.2  Transaction  Synchronization 

Another  area  of  difference  in  various  database  system  models  is  the  way  in  which  trans¬ 
action  synchronization  is  represented.  In  some  models,  synchronization  is  implicit — 
transactions  do  not  execute  synchronizing  operations  directly  but  send  requests  for 
operations  to  a  system  process  called  a  scheduler  [P79).  The  scheduler  considers  the 
history  of  requests  when  deciding  whether  to  delay  or  grant  a  pending  request.  An  ex¬ 
ample  of  implicit  synchronization  is  timestamp  ordering  [BG81],  in  which  a  timestamp 
is  assigned  to  each  transaction  as  it  begins  to  execute.  Each  request  submitted  to  the 
scheduler  is  marked  with  the  timestamp  of  the  transaction  submitting  it.  The  scheduler 
then  uses  these  timestamps  to  order  requests.  In  other  database  system  models,  trans¬ 
action  synchronization  is  explicit — synchronizing  operations  appear  among  transaction 
operations  for  manipulating  data. 

1.3.3  Locking 

A  form  of  synchronization  used  in  many  database  system  models  is  locking  |G78,K83, 
Y84,KS79].  In  database  systems  that  use  locking  for  synchronization,  transactions 
Acquire  and  release  entities  called  locks.  In  some  systems  using  locking,  transactions 
explicitly  execute  operations  to  acquire  and  release  locks,  while  in  others,  locks  are 
acquired  and  released  implicitly  as  transactions  execute  operations.  .4  locking  protocol 
characterizes  how  locks  can  be  used  to  synchronize  transactions.  A  locking  protocol 
specifies 


•  a  set  of  possible  modes,  or  types,  that  locks  caii  have, 

•  a  compatibility  relation  indicating  what  locks  can  be  held  concurrently,  and 

•  a  set  of  locking  rules  transactions  must  follow  when  acquiring  and  releasing  hjcks. 

Synchronization  results  from  mediation  of  lock  acquisition  and  release  requests  ac¬ 
cording  to  the  compatibility  relation,  delaying  requests  that  are  inconsistent  with  the 
compatibility  relation. 

Previous  research  on  synchronization  in  database  systems  has  focused  on  developing 
locking  protocols  that  allow  as  much  concurrency  as  possible  among  transactions,  but 
restrict  possible  schedules  to  serializable  ones.  Several  protocols  have  been  proposed. 
One  area  of  difference  between  them  is  the  set  of  lock  modes  assumed.  The  set  of  lock 
modes  is  usually  derived  from  the  set  of  operations  that  the  database  system  model 
permits.  Each  lock  mode  typically  specifies  the  operation  with  which  it  is  associated 
and  the  process  that  has  acquired  it. 

Lock  compatibility  relations  have  traditionally  been  derived  from  the  semantics  of 
the  operations  with  which  they  are  associated.  Exclusive  locks  are  used  whenever  the 
net  effect  of  concurrently  executing  transactions  can  depend  on  how  operations  of  a  par¬ 
ticular  type  interleave.  For  example,  the  value  left  in  ojj]  by  transactions  DEP{a  s  ,d) 
and  /yVT(o[j],r)  of  Section  1.1  depends  on  how  the  write  operations  u;(ajal,/0  d)  and 
tu(6a,<l -f-d)  in  DEP  interleave  with  w(a[j],t2  f  r  • /2)  and  w{ba,ti  +  r  •  t2)  in  /AT. 
Consequently,  the  lock  mode  associated  with  write  operations  would  by  exclusive.  If 
both  transactions  consisted  of  only  read  operations,  every  interleaving  would  produce 
the  same  result,  which  implies  that  the  lock  mode  associated  with  read  operations  need 


Locking  rules  for  acquiring  and  releasing  locks  generally  require  a  transaction  to 
have  acquired  and  not  yet  released  a  lock  for  an  operation  before  it  can  execute  that 


operation.  Several  additional  restrictions  on  lock  acquisition  and  release  have  been 
proposed.  For  example,  lock  acquisition  and  release  is  often  required  to  be  two-phase 
[EGLT76|,  which  means  that  a  transaction  never  acquires  additional  locks  once  it  has 
released  any  lock.  This  divides  transaction  execution  into  a  lock  acquiring  phase  and 
a  lock  releasing  phtise. 

A  two-phtise  locking  rule  is  shown  to  be  sufficient  to  guarantee  only  serial  schedules 
for  the  model  used  in  [EGLT76j.  The  necessity  of  two-phase  locking  in  the  absence  of 
restrictions  on  transaction  structure  is  also  discussed  there.  In  models  where  more  is 
known  about  the  structure  of  access  to  data,  locking  rules  that  are  not  two-phase  have 
been  proposed.  In  [BS77],  for  example,  a  protocol  for  transactions  that  traverse  and 
modify  B-trees  that  does  not  obey  the  two-phase  restriction  on  lock  acquisition  and 
release  is  presented.  This  approach  is  generaUzed  in  !GS85|  to  obtain  locking  rules  that 
are  not  two-phase  when  transaction  operations  are  structured  to  traverse  more  general 
types  of  linked  data  structures. 

1.3.4  Definitions  of  Serializability 

As  with  database  system  models,  several  different  definitions  of  serializabihty  have 
been  proposed.  These  definitions  differ  primarily  in  the  formal  definition  of  when  a 
schedule  “behaves  like”  a  serial  schedule. 

One  of  the  earliest  formal  definition  of  serializability,  found  in  !EGLT76;,  falls  into 
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a  class  of  definitions  that  has  subsequently  been  called  conflict  serialtzabtlily  1^86  . 
In  conflict  seriahzabihty,  behaviors  of  schedules  are  compared  according  to  certain 
conflict  relations  that  they  induce.  A  schedule  a  induces  the  conflict  relation  CR(t  on 
pairs  of  operations  in  a,  where  (a, ,0^)6  CR^  if  and  only  if  a,  and  Gj  are  from  different 
transactions,  a,  appears  before  Gj  and  both  operations  cannot  be  run  in  the  other  order 
and  produce  the  same  result.  The  conflict  relation  CRa  is  extended  to  transactions  by 
defining  CR^r  if  and  only  if  (a, ,0^)6  CR^  for  some  operation  a,  from  r,  and 

Gj  from  Ty 

A  conflict  relation  CR<t  reflects  the  potential  for  one  transaction  to  influence  the 
behavior  of  another  in  the  concurrent  execution  represented  by  the  schedule  cr.  Thus, 
the  behavior  of  two  schedules  can  be  compared  by  comparing  there  associated  conflict 
relations.  Two  schedules  cr  and  <t'  are  conflict  equivalent  if  and  only  if  CRa  and  CR^i 
are  the  same  relations  on  transactions.  A  schedule  a  is  conflict  serializable  if  and  only 
if  it  is  conflict  equivalent  to  some  serial  schedule  cr' .  .^n  equivalent  definition  sometimes 
given  is  that  rr  is  conflict  serializable  if  and  only  if  CR^  is  acycUc,  since  this  ensures  at 
least  one  serial  schedule  shares  the  same  conflict  relation. 

.As  the  second  formulation  of  conflict  seriahzabihty  iUustrates,  whether  or  not  a 
particular  schedule  is  conflict  seriahzable  depends  directly  on  the  strength  of  the  conflict 
relation:  the  more  conflicting  operations  there  are  in  a  schedule  <7,  the  more  likely 
CRff  is  to  contain  a  cycle  and  hence  fail  to  be  conflict  serializable.  For  this  reason, 
operation  semantics  are  used  to  define  conflict  relations  that  relate  as  few  operations 
as  possible.  In  models  with  read  and  write  operations,  the  conflict  relation  is  defined 
so  that  (a,,aj)G  CR^  whenever  a,  and  Oj  reference  the  same  variable  and  at  least 
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one  is  a  write  operation.  This  is  because  pairs  of  operations  on  different  variables  or 
pairs  of  operations  that  only  read  the  same  variable  cannot  influence  each  other.  In 
models  such  as  [K83j  and  [GS85j,  the  greater  degree  to  which  operation  semantics  are 
specified  permits  weaker  conflict  relations  to  be  specified.  For  example,  two  operations 
that  change  the  vzdue  of  the  same  variable  do  not  necessarily  conflict  as  they  would  if 
they  were  simply  considered  to  be  instances  of  write  operations. 

Another  class  of  serializability  definitions  involves  those  that  compare  schedules 
on  the  basis  of  how  they  transform  a  system  from  one  state  to  another.  This  class 
is  sometimes  subdivided  into  final-state  serializability  and  view  serializability  [P86j. 
In  both  of  these  subclasses,  a  schedule  “behaves  like”  another  if  and  only  if  both 
transform  identical  initial  states  to  identical  final  states.  However,  final-state  and  view 
serializability  differ  as  to  what  portion  of  the  system  state  is  used  to  compare  the  effect 
of  schedules. 

In  the  definition  of  final-state  serializability  found  in  [K83],  system  states  are  com¬ 
pared  according  to  the  value  of  only  those  variables  that  are  shared  by  transactions. 
However,  it  is  argued  in  [Y84]  that  final-state  serializability  is  inappropriate  for  mod¬ 
els  in  which  transactions  contain  read  operations  because  it  ignores  the  values  copied 

into  a  transaction’s  local  storage  by  read  operations  and  does  not  take  into  account 
1 

Ihe  possibility  that  transactions  might  read  inconsistent  values  and  behave  erraticedly 
or  present  inconsistent  output  to  users  of  the  database  system.  View  serializability  is 
therefore  proposed  in  [Y84)  as  a  more  appropriate  definition  of  serializability.  When 
comparing  the  effect  of  schedules,  view  serializability  includes  in  the  system  state  the 
values  read  by  transactions  in  addition  to  the  values  of  shared  variables. 
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In  [P79],  the  relationship  between  conflict  and  view  serializability  is  explored.  It 
is  proven  that  every  conflict-serializable  schedule  is  also  view  seriaUzable.  In  light 
of  this  result,  view  serializability  would  seem  to  be  a  preferable  definition  because  t»f 
its  generality.  However,  it  is  also  shown  in  [P79I  that  the  complexity  of  the  general 
problem  of  deciding  whether  a  schedule  is  view  seriahzable  as  a  function  of  its  length 
is  NP-complete.  This  makes  it  improbable  that  efficient  algorithms  can  be  constructed 
for  synchronizing  arbitrary  sets  of  transactions.  Because  a  schedule  can  be  determined 
to  be  conflict  serializable  in  time  polynomial  in  its  length,  conflict  serializability  is  more 
often  used  in  practice  as  the  basis  for  concurrency  control. 

1.3.5  Alternatives  to  Serializability 

Some  have  suggested  that  requiring  every  schedule  to  be  equivalent  to  some  serial 
schedule  is  too  strict  a  requirement  for  database  systems  (e.g.  1L76I).  The  Concurrency 
Control  Problem  requires  only  that  transactions  transform  the  database  system  from 
one  consistent  state  to  another.  Every  serializable  schedule  will  accomplish  this,  but 
in  some  cases  there  may  be  non-serializable  schedules  that  do  so  as  well. 

An  alternative  is  proposed  in  [G83).  There,  every  schedule  is  required  to  be  je- 
mantically  consistent  rather  than  serializable.  A  schedule  a  is  semantically  consistent 

it 

•  a  transforms  the  system  from  one  consistent  state  to  another,  and 

•  there  is  a  serial  schedule  <t*  such  that  for  every  initial  consistent  state,  a  and  a' 
leave  the  same  values  in  a  specified  set  of  RS  variables  (for  Acquiring  5erializab 
iUty). 
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Since  the  RS  variables  need  not  include  every  variable  of  the  consistency  constraint, 
the  first  requirement  is  not  redundant.  This  approach  has  the  advantage  of  allowing 
more  concurrency  than  if  schedules  are  required  to  be  serializable.  A  simple  example 
of  a  database  system  that  models  an  airline  reservation  system  is  given  in  [G83]  to 
illustrate  this.  The  system  contains  four  variables  SX ,  SY,  TX  and  TY.  The  value 
of  SX  denotes  the  number  of  passengers  on  a  flight  FX ,  while  TX  denotes  the  type 
of  plane  scheduled  to  handle  that  flight:  either  “small”  or  “large”.  Variables  5T  and 
TY  denote  the  same  information  for  a  flight  FY .  The  consistency  constraint  for  the 
system  is 

{SX  >  100  ^  TX  =  “large”)  A  {SY  >  100  ^  TY  =  “large”). 

The  RS  variables  are  SX  and  SY . 

Two  transactions  are  considered,  one  that  reserves  a  seat  on  both  flights: 

RXY:  Rl:  Increment  SX  by  1.  If  SX  >  100,  change  TX  to  “large”. 

R2:  Increment  5T  by  1.  If  5K  >  100,  change  TK  to  “large”. 

and  one  that  cancels  a  seat  on  both  flights: 

CXY:  Cl:  Decrement  SX  by  1. 

C2:  Decrement  SY  by  1. 

Suppose  that  both  RXY  and  CXY  run  concurrently  in  an  initially  consistent  state 
with  SX  =  SY  =  99  and  TX  —  TY  ~  “small”  producing  the  schedule 

0-3:  R\,Cl,C2,R2. 

This  schedule  will  leave  SX  =  SY  =99,  TX  =  “large”  and  TY  =  “small”,  which  is  also 

a  consistent  state.  It  also  leaves  the  RS  variables  SX  and  5K  with  the  same  values  as 


either  of  the  two  possible  serial  schedules.  Consequently,  <t3  is  semantically  consistent. 
However,  <t3  is  not  seri2ilizable  under  any  of  the  definitions  described  previously  and 
would  not  be  allowed  in  a  database  system  requiring  serializability.  Thus,  an  advantage 
of  replacing  seriedizability  by  the  weaker  requirement  of  semantic  consistency  is  that 
more  concurrency  among  transactions  is  possible.  A  disadvantage  of  this  approach  is 
that  analysis  of  synchronization  requirements  for  semantic  consistency  can  be  more 
complicated  than  for  serieilizability  because  of  the  details  of  the  consistency  constraint 
and  operation  semantics  that  must  be  considered. 

1.4  Reasoning  About  Concurrency 

A  database  system  can  be  viewed  as  a  concurrent  program — a  collection  of  sequential 

programs  that  run  concurrently.  Properties  of  concurrent  programs  can  be  viewed 

in  terms  of  safety  and  liveness.  A  safety  property  is  one  that  specifies  that  one  of  a 

given  set  of  “bad”  states  is  never  reached.  An  example  of  a  safety  property  is  partial 

correctness,  which  says  that  execution  that  begins  in  one  of  a  given  set  of  initial  states 

does  not  terminate  in  a  state  outside  of  a  given  set  of  final  states.  A  liveness  property 

is  one  that  specifies  that  some  set  of  “good”  states  are  eventually  reached.  An  example 

of  a  liveness  property  is  termination,  which  says  that  execution  that  begins  in  one  of 
1 

a  given  set  of  initial  states  eventually  terminates. 

As  the  schedules  considered  previously  indicate,  execution  of  a  concurrent  program 
can  produce  any  of  a  number  of  different  interleavings  of  its  constituent  operations. 
The  interleavings  that  are  possible  depend  on  the  atomic  operations  that  constitute  the 
concurrent  program.  An  atomic  operation  is  one  that  indivisibly  runs  to  completion 
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once  started.  Following  [L80),  an  atomic  operation  that  executes  program  text  S  is 
denoted  (5).  In  the  sequel,  we  will  write  5  in  Guarded  Command  Notation  ID76j  but 
require  that  5  is  deterministic. 

For  all  but  the  simplest  concurrent  programs,  the  number  of  different  schedules  is 
apt  to  be  too  large  for  safety  and  liveness  properties  to  be  verified  by  considering  every 
possible  schedule.  To  address  this  problem,  a  more  tractable  approach  to  reasoning 
about  concurrent  programs  has  been  developed.  It  is  based  on  the  use  of  a  formal 
logical  system  relating  program  behavior  to  predicates  on  program  states. 

Proof  Outline  Logic  [SA87]  is  one  programming  logic  for  expressing  and  proving 
safety  properties  of  concurrent  programs.  A  proof  outline  is  a  formula 

{Q}S{R} 

where  Q  and  R  are  predicates  on  the  system  state  and  are  called  assertions]  S  is  an 
annotated  program,  a  program  in  which  each  atomic  operation  (a)  is  preceded  by  zero 
or  more  assertions.  An  assertion  that  immediately  precedes  (q)  in  the  proof  outline  is 
called  the  precondition  of  (a)  and  is  denoted  pre[{a)).  An  assertion  that  immediately 
follows  (a)  is  called  the  postcondition  of  (a)  and  is  denoted  post{{a)). 

A  proof  outline  {Q}S{R}  specifies  the  safety  property  that  if  5  is  started  at  some 
atomic  operation  (a)  in  a  state  that  satisfies  pre{{a)),  then  at  any  point  reached 
during  execution,  the  state  will  satisfy  the  assertion  or  assertions  that  appears  at  that 
point.  Proof  Outline  Logic  provides  a  set  of  axioms  and  inference  rules  for  inferring 
valid  proof  outlines.  These  axioms  and  rules  include  those  of  Predicate  Logic  [S67j 
along  with  axioms  and  rules  given  in  |SA87]  that  are  specific  to  Proof  Outline  Logic. 
A  summary  of  these  rules  can  be  found  in  Appendix  A  of  this  dissertation. 


Dijkstra’s  weakest  precondition  predicate  transformer  (D76j,  a  function  that  maps 
one  assertion  to  another,  is  often  used  in  conjunction  with  Proof  Outline  Logic  to  reason 
about  programs.  For  5  an  operation  or  program  and  R  a  predicate,  the  predicate 
wp{S,R)  (read  the  weakest  precondition  of  S  with  respect  to  R)  denotes  the  largest  set 
of  states  in  which  execution  of  5  is  guaranteed  to  terminate  leaving  R  true.  From  the 
semantics  of  proof  outlines  and  wp,  it  follows  that 

{wpiS,R)}S{R} 

is  a  valid  proof  outline  for  any  S  and  R.  Thus,  a  precondition  of  S  that  allows  a  given 
postcondition  R  to  be  asserted  can  be  computed  using  wp.  A  summary  of  general 
properties  of  wp  along  with  rules  for  computing  wp(S,R)  can  be  found  in  Appendix  B. 

Assertional  reasoning  is  the  name  given  to  the  style  of  characterizing  program 
semantics  in  terms  of  aissertions  on  the  program  state.  When  compared  to  other  ap¬ 
proaches  to  reasoning  about  concurrent  programs,  an  apparent  disadvantage  of  asser¬ 
tional  re2isoning  is  the  level  of  detail  at  which  the  analysis  is  carried  out.  Of  course, 
this  is  also  an  advantage  since  it  is  possible  to  capture  detailed  semantic  information 
that  is  ignored  in  other  formal  systems.  Another  advantage  of  assertional  reasoning 
is  that  properties  of  concurrent  programs  are  often  specified  most  naturally  in  terms 
Af  properties  of  the  states  reached  during  execution.  For  example,  a  solution  to  the 
Concurrency  Control  Problem  requires  every  execution  that  begins  in  a  consistent  state 
to  leave  a  consistent  state.  This  is  an  assertional  property  since  it  specifies  a  prop¬ 
erty  of  the  system  state  (consistency)  at  points  during  execution  (before  and  after). 
Yet  another  advantage  of  eissertional  reasoning  is  the  ability  not  only  to  prove  that 
a  given  program  satisfies  a  particular  specification,  but  also  to  derive  programs  from 


their  speciHcation,  using  the  inference  rules  of  the  logic  to  motivate  refinement  of  the 
program. 

1.5  Overview  of  Dissertation 

This  thesis  describes  the  application  of  assertional  reasoning  to  the  Concurrency  Con¬ 
trol  Problem.  Chapter  2  presents  a  new  definition  of  seriafizability  that  is  based  on 
assertional  reasoning  and  generalizes  previously  proposed  definitions  in  several  respects. 
A  method  for  using  Proof  Outline  Logic  to  specify  and  prove  that  database  systems 
satisfy  this  definition  of  serializability  is  then  presented.  Chapter  3  presents  an  as¬ 
sertional  view  of  locking  and  describes  a  method  for  deriving  locking  protocols.  This 
method  is  then  used  to  derive  synchronization  for  a  database  system  modeling  a  sim¬ 
ple  banking  application.  Finally,  Chapter  4  summarizes  the  thesis  and  draws  some 
conclusions  from  the  research  presented  here. 
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Chapter  2 


Serializability 


As  discussed  in  Section  1.3,  there  is  no  standard  system  model  or  definition  of  serial¬ 
izability.  In  this  chapter,  we  describe  the  system  model  used  in  the  remainder  of  this 
dissertation.  We  then  propose  a  definition  of  serializability  that  generalizes  previous 
definitions  of  serializability  in  several  ways.  Finally,  we  demonstrate  how  this  definition 
can  be  formulated  in  Proof  Outline  Logic. 

2.1  Database  System  Model 

Concurrent  execution  of  a  set  of  transactions  is  denoted 

j 

cobegin  To  II  •••  II  Tyv_i  coend.  (2-1) 

A  necessary  condition  for  an  atomic  operation  (5)  in  (2.1)  to  run  is  that  it  be  enabled, 
which  means  that  the  control  point  before  (5)  has  been  reached  and  the  system  state  be 
one  in  which  5  will  run  to  completion.  During  execution  of  (2.1),  however,  it  is  possible 
for  more  than  one  operation  to  be  enabled  at  the  same  time.  Consequently,  a  scheduling 
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policy  rtiust  be  given  to  specify  how  operations  are  selected  for  execution  from  among 
those  that  are  enabled.  We  will  assume  in  the  remainder  of  this  dissertation  that 
concurrent  execution  of  transactions  follows  a  weakly  fair  scheduling  policy  ^SA87  — 
no  operation  that  becomes  and  remains  enabled  will  be  forever  delayed. 

Execution  of  (2.1)  terminates  when  every  transaction  has  terminated.  A  transac¬ 
tion  r,  can  terminate  in  two  ways.  One  is  for  r,  to  complete  by  executing  an  operation 
{end(Tj))  and  hzdting.  The  other  way  in  which  r,  can  terminate  is  to  abort.  A  trans¬ 
action  aborts  when  conditions  such  as  deadlock,  system  failure,  or  unexpected  input 
make  it  undesirable  or  impossible  for  it  to  complete,  r,  aborts  by  executing  an  op¬ 
eration  (abort(T,))  and  halting.  Operation  (abort(T,))  typically  implements  recovery 
operations  to  cancel  the  effect  of  operations  previously  executed  by  r,. 

A  database  system  E  can  be  specified  by  a  4-tuple  (  V  ,C,  T,  =  ),  where  1  - 
(vQ,  . . . ,  Vn)  is  a  vector  of  variables,  C  is  a  predicate  on  V',  7  =  {tq,  . . .  ,t  v_i }  is  a  set  of 
sequential  programs,  and  =  is  an  equivalence  relation  on  the  domain  of  V  (the  cross 
product  of  the  domains  of  the  variables  of  1).  Variables  of  V  characterize  the  state 
of  E.  Any  system  state  can  be  written  as  a  vector  of  constants  V  *  =  (vq,...,v^),  where 
each  Vj  is  the  value  of  the  corresponding  variable  v,  in  that  state.  For  any  predicate  P 
on  V ,  P  is  true  in  state  V'  if  and  only  if  P\.,  -=  true.’  Predicate  C  in  the  specification 
of  S  is  a  predicate  that  implies  the  consistency  constraint  of  E;  a  state  is  consistent  if 
C  is  true  in  that  state. 

Each  t,£T  models  a  transaction  of  S.  An  execution  of  E  is  an  execution  of  the 
concurrent  program 

‘P**'  '*■  denotes  the  result  obtained  by  simultaneously  replacing  all  occurrences  of  v,  by  the  corre¬ 
sponding  e, . 


cobegin  tq  ||  ||  TjV_j  coend, 


(2.2) 


and  a  schedule  of  S  is  the  sequence  of  atomic  operations  resulting  from  a  terminating 
execution  of  (2.2).  We  assume  that  each  r,  will  complete  leaving  C  true  when  executed 
in  isolation  starting  with  C  true.  For  each  t,  6  T,  we  will  assume  that  V'  contains  a 
Boolean  variable  c/,,  called  the  completion  flag  of  r,,  such  that  c/,  =  true  if  and  only  if 
r,  has  completed.  This  models  information  that  is  typically  found  in  system  logs. 

The  equivalence  relation  =  in  the  specification  of  S  is  a  binary  relation  on  the 
domain  of  V'  and  partitions  the  states  of  E  into  equivalence  classes.  Each  equivalence 
class  contains  the  states  that  cannot  be  distinguished  from  one  another  by  the  appli¬ 
cation  supported  by  E.  This  provides  an  abstraction  that  hides  aspects  of  the  system 
state  that  are  irrelevant  to  the  application  being  supported.  To  limit  the  amount  of 
information  that  can  be  hidden,  =  is  requires  to  satisfy  two  adequacy  constraints: 

ACl.  For  all  system  states  V  and  V", 

(  V'  =  V")  ^  (Vi:  0<i<N:  cfl  =  cfl'). 

AC2.  For  all  system  states  V'  and  F”, 

t 

ACl  ensures  that  states  in  which  different  sets  of  transactions  have  completed  are 
distinguishable.  AC2  ensures  that  consistent  states  and  inconsistent  states  are  distin¬ 
guishable. 

An  example  a  database  specified  ^ls  a  4-tuple  is  EO  of  Figure  2.1.  SO  models  an 
application  in  which  a  series  of  independent  events  move  elements  one  at  a  time  from  the 


2;} 


'JO  - ;ro,c’o,7o,=o) 

V'O  -  (90,9l,2o,  --,-c,v-i,<-/o,-  -ic/.v  1  , 

CO  ^(q\qQ^  Q  A  qQ\  O  k  .V;  cf^  ^  false)), 


ro  =  {ro,... 

'  ’■.V  - 1  } ) 

T,  =  51,: 

{x,,90:  =  90(0),90(l 

52,: 

(9l:=9l-*,;; 

53,: 

(end(r,)) 

(  V'O'  =0  V'O")  « {,0'  =  qO"  Aql'=.ql"  A  ^  cf') 

0-^_k<N 

Figure  2.1:  Database  System  SO. 

head  of  one  queue  to  the  rear  of  another,  as  in  a  factory  where  parts  are  transferred 
from  one  assembly  line  to  another.  V^O  contains  two  sequence  variables  9O  and 
modeling  the  two  queues,  and  a  variable  i,  for  each  t,  in  TO  to  hold  the  item  removed 
from  ^0  and  not  yet  appended  to  ^1.  The  following  notation  is  used  for  sequence 
variables: 

j|  the  number  of  elements  in  s. 
j(»)  the  ith  element  of  s  for  0  <  i  <  |jj. 

s(t..j)  the  subsequence  of  consecutive  elements  from  the  tth 

to  the  jth  for  0  <  t  <j  <  |3|  (and  the  empty  sequence  if 

t  ;<»)• 

s(i . .)  an  abbreviation  for  3(1 .. | j|  -  1 ). 

3  1-32  the  catenation  of  3I  and  32. 

The  conjunct  91-90=  (?  in  the  consistency  constraint  CO  specifies  that  queue  el¬ 
ements  are  not  lost  in  the  transfer,  while  the  second  conjunct^  I9OI  0  /k 

’(#  «:  /?:  P)  denotes  the  number  of  values  t  in  range  R  that  satisfy  P. 


.V;  c/j  -  falst)  specifies  that  qi)  contains  enough  elements  for  every  transaction  that 
has  not  completed  to  remove  one.  Each  transaction  r,  t  T'O  models  the  transfer  of  one 
element  from  the  first  queue  to  the  second,  using  a  local  variable  j;,  for  temporary 
storage  of  the  element  removed.  For  simphcity,  we  assume  that  transactions  of  EO 
terminate  only  by  completing.  The  operation  51,  moves  the  first  element  of  qO  into 
z,,  and  52,  then  moves  it  to  the  rear  of  ^1;  53,  has  no  effect  other  than  ensuring  that 
c/,  =  true. 

The  equivalence  relation  =o  specifies  that  two  states  and  V'O"  are  equivalent 
when  each  of  9O  and  contain  the  same  sequence  of  elements  in  both  states,  and  the 
same  transactions  have  completed.  The  values  of  temporary  variables  are 

ignored  by  =0  since  the  particular  order  in  which  transactions  run  is  insignificant  in 
this  application. 

2.2  Serializability 

Recall  that  wp{S,R)  denotes  the  set  of  states  in  which  execution  of  5  will  terminate 
leaving  R  true.  Using  wp,  it  is  possible  to  formahze  the  property  that  a  schedule  a 
“behaves  like”  like  a  serial  schedule. 

Definition  2.2.1  (Serialixable  Schedule)  Let  S  =  (T,C,T,=)  be  a  database  sys¬ 
tem  and  let  SER{T)  denote  the  set  of  seri€d  schedules  for  S,  each  schedule  consisting 
of  zero  or  more  transactions  of  T.  Let  F  be  a  vector  of  new  variables  each  having 
the  same  domain  as  the  corresponding  one  in  V .  A  schedule  cr  of  S  is  a  serializable 
schedule  of  S  if  and  only  if: 
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t=  (f.V  u>p(«T,  r  a  V'))  w  (  \J  wp(a',V  =  V)). 

ff'lrSERiT) 


□ 

Definition  2.2.1  can  be  interpreted  as  follows.  A  state  satisfying  the  antecedent  is 
one  satisfying  the  consistency  constraint  and  in  which  execution  of  a  is  guaranteed 
to  terminate  in  a  state  indistinguishable  under  e  from  V.  A  state  that  satisfies  the 
consequent  is  one  in  which  execution  of  at  leeist  one  serial  schedule  of  S  is  guaranteed  to 
terminate  in  a  state  indistinguishable  under  =  from  V .  Thus,  the  implication  specifies 
that  any  consistent  state  in  which  execution  of  <t  terminates  in  a  state  indistinguishable 
from  V  is  one  in  which  execution  of  at  least  one  serial  schedule  a'  of  S  terminates  in 
a  state  indistinguishable  from  V.  From  the  eissumption  that  =  satisfies  adequacy 
constraint  .ACl,  it  follows  that  the  states  reached  by  <r  and  a'  will  have  the  same  set 
of  completed  transactions.  From  the  assumption  that  E  satisfies  adequacy  constraint 
AC2,  it  will  follow  that  the  state  reached  by  a  will  satisfy  the  consistency  constraint 
if  and  only  if  the  state  reached  by  <t'  does.  Since  (t'  is  a  serial  schedule  that  starts  in 
a  consistent  state,  it  will  always  leave  a  consistent  state,  and  consequently  the  state 
reached  by  will  be  consistent. 

For  an  example  of  a  schedule  that  is  serializable  according  to  Definition  2.2.1, 
consider  SO  of  Figure  2.1.  When  N  =  2,  execution  of  SO  can  produce  the  schedule 

aA:  51o;51,;52o;52i;53o;53,. 

Consider  the  serial  schedule 


cr5;  51o;52o;53o;51i;52i;53i. 


'>-•>  "J<  rj»  "ur-jr  -ji 
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Using  the  rules  for  computing  wp  (see  Appendix  B  for  a  summary),  it  can  be  shown 
that 

(CO  A  wp{(T4,  UO^o  ^^))  = 

9  1  ■  9O  =  Q  A  IgOI  >  (  #  A:  0  <  k  <  2:  cfj^  =  false)  ^  q0{2  qO 
/\  ql  -90(0) -90(1)  =  9I  A  true  =  c/q  —  c/j 

and 

wp{<t5,  VQ  =0  ^0))  = 

90(2..)  =  9O  A  9I  -90(0) -90(1)  =  9I  A  true  =  c/q  =  c/j 
From  this  it  follows  that 

( CO  A  wp((t4,  UO  =0  UO))  =>  wp{<T5,  VO  =0  ^  0) 

and  since  <t5  t  SER{  TO), 

t=  ( CO  A  wp(<r4,  UO  hq  UO))  (  \/  UO  =0  UO)). 

<r'g5£’fl(7X)) 

Therefore,  <r4  is  seri2dizable  according  to  our  definition. 

Definition  2.2.1  for  serializable  schedules  can  be  extended  to  obtain  a  definition  for 


2.3  Serializability  with  Proof  Outlines 


Definition  2.2.1  characterizes  serializability  using  wp.  It  is  also  possible  to  characterize 
serizdizability  using  proof  outlines.  Two  benefits  result  from  such  a  formulation.  The 
first  is  that  Proof  Outline  Logic  then  can  be  used  to  verify  formally  the  serializability 
of  a  database  system.  The  second,  explored  more  fully  in  Chapter  3,  is  that  it  becomes 
possible  to  derive  synchronization  protocols  that  ensure  serializability. 

A  Proof  Outline  Logic  characterization  of  serializability  is  formulated  by  intro¬ 
ducing  auxiliary  variables  and  operations  on  them  that  allow  the  behavior  of  seri2d 
schedules  to  be  characterized  by  ^lssertions.  Let  E  =  (V\C,T,  =  )  be  a  database  system 
with  variables 

V  =  (vo,.-M«n) 
and  transactions 

T  = 

Define  a  vector  of  new  variables 

V  =  (tio,. 

<vith  each  new  variable  having  the  same  type  sls  the  corresponding  variable  in 
V.  Each  Vjf  is  called  the  shadow  variable  corresponding  to  wj.  With  these  shadow 
variables,  construct  a  set  of  new  transactions 
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where  each  f,  is  obtained  from  T  by  replacing  all  reference  to  -  1  by  a  reference 
to  the  corresponding  €  V.  Each  f,  is  called  the  shadow  transaction  corresponding 
to  r, . 

Let  SER{T)  denote  the  set  of  serial  schedules  consisting  of  zero  or  more  transac¬ 
tions  of  T .  The  isomorphism  between  V  and  V  and  between  each  r,  G  T  and  t,  T 
implies  that  for  any  serial  schedule  cr' t  SER{  T),  there  is  a  serial  schedule  a  t  SER(  T ) 
that  transforms  V  in  the  same  way  that  a  transforms  L.  This  isomorphism  between 
schedules  of  SER(  T)  and  SER{  T)  makes  it  possible  to  construct  a  proof  outline  that 
is  valid  if  and  only  if  satisfies  Definition  2.2.1. 

Theorem  2.3.1  (Schedule  Serialiiability  with  Proof  Outlines)  Schedule  (t  of 
database  system  S  =  (  K,  C,  T ,  =  }  is  a  serializable  schedule  if  and  only  if 

550(<t):  {C^V=V) 

a 

{  V  wp{a,V=V)} 
a&SER(f) 

is  valid.  □ 

Proof  of  Theorem  2.3.1  From  the  interpretation  of  550(<r)  and  of  the  weakest  pre¬ 
condition  predicate  transformer,  550(<7’)  is  a  valid  proof  outline  if  and  only  if 

\=  {C  A  V  —  V  A  wp{<T,true))  wp((r,  \/  V  =  V )).  (2.3) 

fftzSER{f) 

Thus,  the  theorem  follows  if  <7  is  a  serializable  schedule  of  E  if  and  only  if  (2.3).  This 
is  proven  in  Lemma  2.3.4  proven  below.  □ 

The  proof  of  Lemma  2.3.4  will  frequently  rely  on  inferences  that  are  justified  by 
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the  following  two  lemmas.  The  first  states  that  substituting  subformulas  of  .4  with 
equivalent  ones  results  in  a  formula  that  is  equivalent  to  A. 

Lemma  2.3.2  Let  A'  be  obtained  from  T  by  replacing  some  occurrences  of  Bi, 

Bn  by  B[,  respectively.  If 

t=;  w  , . . . ,  1=  5ri  w  5^ , 

then 

1=  T  if  and  only  if  t=  A'. 

a 

Proof  of  Lemma  2.3.2  By  induction  on  the  structure  of  A.  See  [S67)  for  details.  □ 

The  second  lemma  characterizes  the  distributivity  of  tap  over  conjunction  with  a 
predicate  B  when  B  does  not  contain  variables  referenced  by  5. 

Lemma  2.3.3  For  any  program  5  and  predicates  A  and  B,  if  S  does  not  change  any 
variable  of  B,  then 

h=  ( wp(S ,  /I )  A  fl)  >=>■  wp[S lA  A  B). 

□ 

Proof  of  Lemma  2.3.3  By  definition,  wp{S,B)  represents  the  set  of  all  states  such 
that  execution  of  S  begun  in  any  one  of  them  is  guaranteed  to  terminate  in  a  state 
satisfying  B.  Since  5  does  not  change  any  variable  of  5,  then  wp{S^B)  is  the  set  of 
states  in  which  5  is  guaranteed  to  terminate  and  in  which  B  is  true.  Thus, 


i=  {u)p{S  ,true)  A  B)  wpiS,B). 


By  Predicate  Logic,  wp{S,A)  can  be  conjoined  to  both  sides  of  (2.4)  giving 
t=  {wp{S ,A)  A  wp{S ,true)  /\  B)<^  (wp(S,A)  A  wp(S,B)). 


Distributivity  of  Conjunction  from  Appendix  B  implies  that 


wp{S ,A)  A  wp{S ,irue))  o  wp{S ,A  A  true). 


Substituting  the  right  side  for  the  left  in  (2.5)  gives 


)=  {v}p{S ,A  A  true)  A  5)  (u;p(5,/l)  A  wp{S,B)). 


Distributivity  of  Conjunction  also  implies  that 


wp{S,A)  A  wp{S,B))  wp{S,A  A  B). 
Substituting  the  right  side  for  the  left  in  (2.6)  gives 


)=  {wp{S,A  A  true)  A  5)  «•  {■wp{S,A  A  B)). 


Since  (A  A  true)  A, 


(=  (u;p(5,  A)  A  fl)  ti;p(5,  A  A  B). 


Using  these  lemmas,  the  equivalence  of  the  serializability  of  <t  and  the  vahdity  of 
(2.3)  can  be  proven. 

Lemma  2.3.4  is  a  serializable  schedule  of  S  if  and  only  if  (2.3).  □ 
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Proof  of  Lemma  2.3.4  By  Definition  2.2.1,  a  is  serializable  under  =  if  and  only  if 
V=(C  Awp{a,V  =  V))^{  V  wpia',V=V)).  (2.8] 

<T'tSER(T) 

From  Predicate  Logic, 


N/'w(VF:  V^V^P^) 


for  any  predicate  P.  Taking 

P^\  V  wpicr',V  =  V)l 

(r'^SER(T) 

and  applying  Lemma  2.3.2,  (2.8)  if  and  only  if 


\={C  ^wp{a,V  =  V))=^{'iV:  V  =V  \J  wp{a' ,  V  =  V  ))^^) .  (2.9) 

<r'£SER(T) 

From  the  construction  of  the  shadow  transactions  and  definition  of  SER{  T), 

N(  V  wp{(r',V  =  V))l^{  V  M^>V=V))- 


(r'€SER{T) 

Thus,  (2.9)  if  and  only  if 


a^SER(T) 


\^{C  Awp{<T,V  =V))^{^V:  V  =^{  V  u;p(CT,  F  =  F))).  (2.10) 

a€SER(f) 

From  Predicate  Logic,  when  variables  of  F  are  not  free  in  P, 


h(P  ^  (VF:  (?))«.  (VF;  P  ^  Q). 


Taking 


P  =  [(7  A  wp{<T,  F  =  F)|  and 

(?  =  [F=F^(  V  wp{a,V=V))l 


ff&SER(T) 


(2.10)  if  and  only  if 


^  ^  ^  ^  1^. 
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1=  (VV;  (  C  A  u;p(<T,  r  z:  V))  ^- (  r  =  V'  ^  (  \/  u;p(CT,  V'  -  I' ) ) ) ).  (2.11) 

^t-_SER{  f) 

From  Predicate  Logic, 


(VV:  P)  if  and  only  if  1=  P. 


Taking 


P  -  ;(  C  A  Wp{<T,  F  =  F))  (  F  =  F  — •  (  V  F  =  F)))i, 

aesER(f) 


(2.1 1)  if  and  only  if 


h(C’A«,p(^,F=  F))^(F.-=  F  ==•(  V  wpia,V=V))). 

?65Efl(T) 

From  Predicate  Logic, 


(2.12) 


^[P^(Q=.R)]^[{PaQ)^R\. 


Taking 


P  -  \  C  A  wp{(T,  V  =  F)|, 

Q  [F  =  F]  and 

^  -  1  V  wp(a,  F  =  F)], 


a£SER(T) 

(2.12)  if  and  only  if 


)=(C^  Ati;p(<r,  F  =  F)a  F=  F) -(  V  w;p(^,  F=F)).  (2.13) 

aeSER(f) 

By  the  commutativity  of  conjunction  in  the  antecedent,  (2.13)  if  and  only  if 


)=(CA  F=  FAwp(<r,  F=  F))=(  V  «^p(^,  F 

aeSERif) 

From  Predicate  Logic, 


=  F)). 


(2.14) 


4: 


t 


w 


Taking 


P  ^  C  A  V  ^  T  ', 

Q  =  [■wp{cr,  V'  3  V')j  and 

R  =  \  V  y  =  y )', 

ff€5i'/l(T) 

(2. 14)  if  and  only  if 

b:  (  C  A  V  =  V'  A  wp{<T,  V  =  V'))  =• 

(wp{<T,v  =  V)  \  (  V  vjp{$,  y  =  V))). 

adSERif) 

Since  a  does  not  reference  any  free  variable  of  (  V  ^ 

^esf/eiT) 

by  Lemma  2.3.3  that 


(2.15) 


=  T)),  it  follows 


t=  (u’p(<7-,  T  =  T)  A  (  V  u>p(^,  T  =  V'))) 
a€SER(f) 


wp{<T,  V  =  y  A{  V  *vp{a,  y  =  V'))). 

S€SER(f) 

Thus,  (2.15)  if  and  only  if 

f=(CAT=TA  wp{<T,  V  B  T))  ^ 

Wp{<T,  V'  H  V'  A  (  V  “'P(^T  y  =  T))). 
afSER(T) 

'  Since  conjunction  distributes  over  disjunction, 

(V  =  Ta(  \J  V  h  T)))  ^4  (  \J  1 

9€SER(f)  ff>rSER[f) 

Thus,  (2.16)  if  and  only  if 

f--  ( C  A  V  ~  V  A  wp{(7,  V  B  y})  =:• 

ujp(<r,(  V  y  ^  y  A  wp{ff,  V'  =  1  ))) 

SER( f) 


(2.16) 


y  A  wp(a,  r  =  V)). 
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I'sing  the  property  that  a  does  not  modify  any  variable  in  I  =  V  and  Lemma  2.3.3, 
(  I'  =  L  A  wp(a,  V'  =  V'))  ^  tvp(^,  V  =  A  V'  =  V') 
for  each  a- ^  SER(  T).  Thus,  (2.17)  if  and  only  if 

1=  ( C  A  V’  —  V’  A  u)p(<T,  V  3  V'))  =>  (2.18) 

wp{(T,(  V  V  =  V  A  V'  =  I'  ))). 

5f:SER(T) 

Because  =  is  an  equivalence  relation,  it  is  transitive  and  symmetric.  From  this  it 
follows  that 

(T'  =  V  A  F  =  F)«(?  =  F  A  V  ~V). 

Thus,  (2.18)  if  and  only  if 

^(C  A  V  =V  Awp(ir,V  =  ?))=>  (2.19) 

wp{<T,(  V  F  =  F  A  V'  =  F))). 

ffeSER{f) 

Using  the  property  that  a  does  not  modify  variables  of  V'  =  V  and  Lemma  2.3.3, 
^wp(a,V  =  Fa  F=  F)^(F  =  F  Au;p(a,F=  F)). 

Thus,  (2.19)  if  and  only  if 

)=((7a  F=  F  Atup(<r,  F  =  ?))  (2.20) 

wp{(r,(  V  F  =  F  A  wp{a,  V  =  F))). 
aeSER(f) 

Since  conjunction  distributes  over  disjunction, 

(  ^  F  =  F  A  wp{a,  V  =  V'))  w(  V'  =  F  A  (  \J  wp(d,  F  =  V  )))■ 

ff^SER(f)  a^SER(f) 

Thus,  (2.20)  if  and  only  if 


wp{<T,  V'  =  V  A  (  V  wp(a,  V'  =  V  ))). 

^eSER{f) 

Since  wp  satisfies  the  property  of  Distributivity  of  Conjunction, 

wp(<r,  V' =  K  A  (  V  u>p(^,?  =  V))) 
ffeSER(f) 

itvp{(T,  V  =V)  r\  wp{cr,  V  wp{a,V  =  C))). 

S€SER{f) 

Thus,  (2.21)  if  and  only  if 

A  V  =  V  A  t«p(<T,  V  =  T))  =;•  (2.22) 

{wp{<T,V  =V)  Awp{<T,  V  U)p(ff,?  =  V'))). 

9^SER(f) 

From  Predicate  Logic, 

{{P  AQ)=i-{Q  AR))^{{P  AQ)^.  R). 

Taking 

P  =  [C  A  v=v\, 

Q  =  [wp(<T,  F  =  F)1  and 

R  =  [ti;p(<r,  V  V  =  F))], 

^€SER(f) 

jj2.22)  if  and  only  if 

)=(C  A  K  =  K  A  u;p(<r,  F  =  F))  «;p(<7,  \J  u;p(ff,  F  =  T)).  (2.23) 

^^SER(% 

From  Predicate  Logic, 

1=  P  if  and  only  if  )=  P  ^ 


for  any  predicate  P.  Taking 


P  -  \{C  f\  V  =  V  /\  wp(eT,  V  =  V’))  ^  wp(cr,  V  wp(5-,  V  =  V  ))i, 

a>zSER(T) 

(2.23)  if  and  only  if 


t=  [(C  A  r  =  A  wp(<T,  r  r:  V'))  =>  wp(^r,  \J  u;p(CT,  f' =  V'))i  (‘•^•24) 

ffi^SER(f) 

Since  V  does  not  occur  in  C  A  V’  =  V’  or  in  wp{(T,  V  W’p(ct,  V  =  f')),  (2.24) 

aeSER{f) 

if  and  only  if 

\={C  A  V'  =  V'  A  [wp(<T,  V  =  K)|^)  =>  wp(a,  \J  wp{d,  V  =  V^)).  (2.25) 

aeSER{f) 


Since^  V'  does  not  occur  in  <t, 


wp{<r,  V’  =  V’)  wp{(r,  V  ^  V). 

Thus,  (2.25)  if  and  only  if 

)=  ( C  A  T  =  V  A  wp{(T,  V  =  V))  ^  wp{(T,  V  ^pi^i  ^  =  ^^))-  (2.26) 

aeSERif) 

Since  =  is  an  equivalence  relation,  it  is  reflexive.  Thus, 

1=  (  =  K )  <=>  true . 

Thus,  (2.26)  if  and  only  if 

^  {C  A  V  =  V  A  wp(tT,true})  =>  ri)p(<T,  \J  wp(a,  V  =  V)).  (2.27) 

a£SER{f) 

By  identity,  (2.27)  if  and  only  if  (2.3). 


^This  can  be  proven  by  induction  on  the  structure  of  (t. 
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Theorem  2.3.1  characterizes  seriaJizability  in  terms  of  proof  outhnes  the  seriaUz- 
ability  of  a  particular  schedule  of  a  database  system.  This  result  can  be  extended  to 
obtain  a  similar  characterization  of  the  seriaJizability  of  an  entire  database  system. 

Theorem  2.3.5  (System  Serializability  with  Proof  Outlines)  Database 
system  S  =  (T,C,T,  =  )  is  a  serializable  system  if  and  only  if  execution  of  S  termi¬ 
nates  when  started  with  C  \  V  —  V  true  and 

5Z)0(E):  {C^V=V) 

cobegin  To  ||  ■  ||  Tf^_i  coend 

{  V  wp(a,v  =  V)} 

S€SER{f) 

is  valid.  □ 

Proof  of  Theorem  2.3.5  Since  the  variables  of  V  do  not  occur  in  transactions  of  S, 
execution  of  S  terminates  when  started  with  C  /\  V  =  V  true  if  and  only  if  execution 
of  S  terminates  when  started  with  C  true.  The  interpretation  of  proof  outlines  and 
the  semantics  of  cobegin  imply  that  5D0(E)  is  valid  if  and  only  if 

550(<t);  {CaV  =  V}(t{  V  wp{a,V  =  V)} 

a^SER{f) 

is  valid  for  every  schedule  <r  of  E.  By  Theorem  2.3.1,  550((y)  is  valid  if  and  only  if 
O’  is  a  serializable  schedule.  The  theorem  follows  immediately  from  the  definition  of  a 
serializable  system.  □ 

The  hypotheses  of  Theorem  2.3.5  suggest  a  method  for  proving  a  database  system 
serializable. 

Method  2.3.8  (Proving  System  Serializability)  To  prove  that  a  system  E  - 
{V ,C ,T ,  =  )  is  serializable; 


'JJ  v'.v  ".yj-  '>  'j-  ' 


3« 

1.  Introduce  Shadow  Variables  and  Shadow  Transactions.  Define  shadow 
variables  V'  and  construct  shadow  transactions  T  corresponding  to  the  variables 
I  and  transactions  T  of  S. 

2.  Prove  SD0{'S.).  Prove  that 

5Z)0(E):  {C^V=^V} 

cobegin  To  H  ■  il  t^_i  coend 

{  V  wp{a,V=V)) 

a£SER(T) 

is  valid. 

3.  Prove  Termination.  Prove  that  execution  of  E  terminates  when  started  with 
C  /\  V  =  'V  true. 


□ 


2.4  An  Example 

We  now  present  an  example  of  the  application  of  Method  2.3.6.  As  pointed  out  in 
Section  2.2,  SO  is  not  a  serializable  system.  However,  a  serializable  system  can  be 
constructed  from  SO  by  synchronizing  transactions  using  a  simplified  version  of  the 
conservative  timestamp  ordering  protocol  in  jBCSl). 

In  conservative  timestamp  ordering,  a  unique  integer  timestamp  is  assigned  to  each 
transaction  as  it  begins  to  run.  A  version  number  associated  with  each  shared  variable 
holds  the  timestamp  of  the  last  transaction  to  access  it.  An  operation  from  transaction 
T,  can  access  v  if  it  satisfies  the  following  conditions. 
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TSl.  The  timestamp  of  r,  is  greater  than  the  version  number  of  v. 

TS2.  No  transaction  Tj  with  a  timestamp  less  than  that  of  r,  will  later 
attempt  to  access  v. 

Since  each  transaction  sets  the  version  number  of  v  to  its  timestamp  when  accessing 
it,  condition  TSl  implies  that  the  timestamp  of  a  transaction  r,  accessing  v  is  greater 
than  that  of  another  transaction  Tj  that  accesses  v  immediately  before  r, .  One  con¬ 
sequence  of  this  is  that  transactions  are  guaranteed  to  access  v  in  an  order  consistent 
with  that  of  their  timestamps.  .Another  consequence  is  that  the  version  number  of  v 
is  monotonically  non-decreasing.  Therefore,  if  a  transaction  Tj  finds  TSl  false  when 
attempting  to  access  t),  TSl  will  subsequently  remain  false  and  prevent  Tj  from  com¬ 
pleting.  To  avoid  this  possibility,  condition  TS2  requires  r,  to  wait  before  accessing  v 
until  all  transaction  attempting  to  access  v  and  having  smaller  timestamps  have  done 
so.'*  The  result  is  that  transaction  satisfying  TSl  and  TS2  will  access  v  in  ascending 
timestamp  order  without  aborting. 

We  model  the  assignment  of  timestamps  and  synchronization  of  operations  accord¬ 
ing  to  version  numbers  as  follows.  Let  clock,  and  rgl  be  integer  variables  holding 
the  global  clock  and  version  numbers  of  ^0  and  gl.  For  each  r,  E  TO,  let  ls^  be  an  in¬ 
teger  variable  holding  the  timestamp  of  r,  and  let  clock  be  an  integer  variable  holding 
the  value  of  the  clock.  To  model  the  selection  of  a  timestamp  by  r,,  the  operation 

50,:  {clock,ts^:=  clock  ^  \  , clock  *r  \  ) 

^Many  timestamp  protocols  relax  the  second  condition  and  abort  transactions  trying  to  access  vari¬ 
ables  with  version  numbers  greater  than  ihetr  timestamp.  However,  these  protocols  require  older  versions 
to  be  maintained  for  recovery  purposes  and  also  require  additional  machinery  to  cope  with  the  possibility 
of  cascading  aborts  (BG81|.  We  choose  the  more  restrictive  protocol  so  that  the  proof  of  correctness  is 
not  obscured  by  these  additional  complexities. 


10 


is  added  to  r,  before  51,.  To  model  the  update  of  version  numbers  when  r,  accesses 
9O  and  9I, 

vqO :  =  ^s^ 

is  added  to  5l,  and 
vql:  =  tSf 
is  added  to  52,. 

To  denote  synchronization  that  delays  an  operation  5  until  a  condition  B  becomes 
true,  we  enclose  5  in  a  guarded  command  of  the  form^ 

(if 5  ^  5fi). 

The  following  lemma  provides  a  guard  B  for  51,  that  ensures  that  the  transactions  of 
TO  satisfy  conditions  TSl  and  TS2  for  accessing  qO. 

Lemma  2.4.1  (Timestamp  Condition)  Transactions  ro,...,T;y_i  satisfy  condi¬ 
tions  TSl  and  TS2  for  accessing  qO  if  each  51,  is  delayed  until  r^O-t- 1  =  <s,.  □ 

Proof  of  Lemma  2.4.1  Consider  operation  51,  in  transaction  r, .  Suppose  that  51, 
does  not  run  until  v^O-l-1  =  tj,.  Since 

v^0-|- 1  =  tjj  >  vqO, 

then  delaying  each  51,  until  u90-t-l  =  <3,  ensures  that  the  timestamp  of  each  r,  is 

greater  than  vqO  when  r,  accesses  qO.  This  is  what  is  required  by  condition  TSl. 

^Guarded  Command  Notation  semantics  specify  that  if  B  --  5  fi  executes  S  if  started  with  B  true 
and  will  fail  to  terminate  if  started  with  B  false.  Since  atomic  operations  run  to  completion  once  started, 
execution  of  (ifB  — >  5  fi)  delays  until  B  becomes  true. 
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Now  consider  operation  51^  in  a  transaction  Tj  ;  ^  i  that  runs  after  51,.  Note  that 
assignment  vq0:=t3t  in  51,  leaves  Since 

+  1  =  tsj  ^  tSj  >  vqO, 

then  tSj  >  vqO  will  be  true  when  51^  runs.  The  assignment  tJ90:=<i,  in  51,  ensures 
that  vqO>  ts,  after  51,  runs.  Since 

(U9O4- 1  =  tsj  A  vqO  >  tst)  ^ 

then  delaying  each  51,  until  t;90  +  l  =  f3,  ensures  that  the  timestamp  of  Tj  cannot  be 
less  than  the  timestamp  of  Tj  when  5l_j  runs  after  51,.  This  is  required  by  condition 
TS2.  □ 

By  Lemma  2.4.1,  access  to  qO  will  satisfy  TSl  and  TS2  if  uqO  +  1  =  ts,  is  chosen  as 
the  guard  for  each  51,.  By  a  similar  analysis,  it  can  be  shown  that  access  to  ql  wiU 
satisfy  TSl  and  TS2  if  «</!  +  1  =  ts,  is  chosen  as  the  guard  for  each  52,.  Because  of  the 
synchronization  that  has  been  added  to  transactions,  the  conjunct 

V9O  =  v^l  =  clock 

has  been  added  to  the  consistency  constraint  Cl  to  ensure  that  transactions  complete 
yvhen  executed  in  isolation  starting  in  a  consistent  state.  In  addition,  the  definition 
of  =1  hits  been  changed  to  ensure  that  continues  to  satisfy  adequacy  constraint  AC2. 
This  gives  the  synchronized  database  system  SI  of  Figure  2.2. 

We  can  now  apply  Method  2.3.6  to  prove  that  SI  is  serializable.  First  we  define 
shadow  variables 

FI:  ^,ql,zo,...,X!^^l,cf  o,...,cf  clock,  vqO,vql,lsQ,...,tsiq_^ 
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V'l  =  {qO,ql,XQ,...,Xf^_l,cfQ,...,cf^\  clock,  vqO,vql,tso,...,  Is  s  i) 

Cl  =  {9l-90=QAl^0|>(#:i:  0_i'  N:  cf^  —  false  )  '  rqO  =  n?  1  —  clock} , 

—  SO,:  (  clock,  ts,  -.—  clock  -I- 1,  clock  +  1 ); 

51, :  (if  t;90  +  1  =  — •  z,,<j0,w90:=  90(0),<70(1 f^'); 

52, :  (if  -h  I  =  ts,  — •  9l,rfll  :  =  9I  fi); 

53, :  {end{T[)) 

(V'i'=i  va")o(90'  =  90''A9i'  =  (?i»  A  A  = 

Q-ik<_N 

A  vqO'  =  vqO''  A  vql'  =  vql"  A  clock'  ~  clock") 


Figure  2.2:  Synchronized  Database  System  Si 

corresponding  to  the  variables  of  Fl  and  construct  shadow  transactions 

f',:  {clock,  ts,:=  clock  +  I, clock  +  1)-, 

(if  vqO  +  1  =  ts,  — »  i,,^0,V90:=90(0),90(l..),ts,  fi); 

( if  u?  1  +  1  =  t j ,  — '  9 1 ,  1 :  =  9 1  •  i, ,  Is ,  f i ) ; 

(end(fl)) 

corresponding  to  each  t|. 

Next,  we  prove  that 

5D0(S1):  {CIA  FI  =  FI} 

cobegin  rill  •••  II  j  coend 

{  V  _  ^p(^y  *-'1  *'1)} 

a€SER(Tl) 

is  valid.  To  do  this,  we  first  construct  the  full  proof  outline® 

*A  full  proof  outline  is  one  in  which  every  atomic  operations  is  preceded  and  followed  by  at  least 
assertion. 


«.  •.  .%  •.  v*.  ."W 
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FSD0{'£1): 

{  Cl  A  VI  ^V\} 

{  CLOCKq,  VQOq,  VQ\q,...,CLOCKn-i,  VQOi^_i,  = 

{I  A  A  0=VQlk=VQ0t  =  CLOCKi,} 

0<k<N 

cobegin  PO{tq)  ||  •••  ||  PC(T]y_j)  coend 

{  —  vql  =  clock  A  ^0  =  qO{N  ..)  A  ql  =  ql  (^0(0. . iV- 1)) 

^  A  ^fk  —  ^  w?  1  =  clock  =  clock  +  iV  } 

0<k<N 

where  each  PO{t[)  is  the  proof  outline  for  r'  shown  in  Figure  2.3.  In  each  r',  auxiliary 
variables[C73,OG76]  CLOCKi,  VQQi  and  VQ\{  are  used  to  record  whether  r'  has 
incremented  clock,  u^O,  and  u^l,  respectively. 

Each  assertion  contains  the  invariant 

I:  /O  A  71  A  72  A  73  A  74. 

The  first  conjunct 

70:  clock  =  vqO  =  vql  A  {'^k:  0  <k  <  N:  0<  TQljS  VQ0ii<  CLOCKj^  <  1) 

A  clock  =  clock X]  CLOCKif  A  vqO  =  vqO  +  ^  ^Q^k 

0<k<N  0<k<N 

Augl=W9l4- 

0<k<N 

specifies  that  clock,  and  remain  equal,  and  bounds  the  values  of  clock,  vqO  and 
i^l  in  terms  of  the  values  of  the  auxiliary  and  shadow  variables.  The  second  conjunct 

71:  |90|>yV-  ^  VQ0iAl^l>N 

0<k<N 

Aq0  =  ^((  E  v'(?0i)..)Agi  =  fi[^(0..(  E  V^^?U)-1)! 

0<k</V  0<k<A/ 

bounds  the  size  of  qO  and  qO  and  specifies  in  terms  of  the  auxiliary  variables  the 
elements  that  have  been  transferred  from  9O  to  ^1.  The  third  conjunct 


O  ^  K.  •-  ^ 


/2:  A  CLOCKj.  =  1  =;•  Isj^  <  clock 

0<_k<,N 

A  A  iCLOCKj  =  lACLOCKi,^l)^ls,:/^tsL 

0_}^k<N 


specifies  that  different  transactions  choose  different  timestamps,  while  the  fourth  and 
fifth  conjuncts 

/3;  (V«:  vqO  <  v  <  clock:  {3k:  Q<  k  <  N:  CLOCKj^  =  1  A  =  0  A  v  =  Isj^)) 


14:  (Vr:  vql  <  v  <  vqO:  {3k:  Q<  k  <  N:  ^$0^  =  1  A  KQli=0Av  =  <34)) 

specify  that  some  transaction  has  a  timestamp  fjj  =  v  for  every  value  v  between 
v^O+l  and  clock  or  between  u^l  +  l  and  vqO. 

The  proof  /’5Z?0(S1)  is  a  straightforward  application  of  the  axioms  and  rules  of 
Proof  Outline  Logic,  and  is  omitted  here. 

From  F5Z)0(E1),  5Z?0(II1)  can  be  inferred  as  follows.  From  F5Z?0(Sl),  the  proof 


coend 


outline 


{  (71  A  FI  =  FI}  (2.28) 

cobegin  Tg  ||  •••  ||  coend 

{  9O  =  gO(A^ ..)  A  ■(^0(0..Af-l))  A  A  cfi^  =  true} 

0<k<N 

^an  be  inferred  using  the  Assertion  Deletion  Rule  followed  by  the  Auxiliary  Variable 
Deletion  Rule.  It  can  be  shown  by  induction  on  jV  that 
wp{fo]...;fff_i,  FI  =1  FI) 

=  (  vqO  =  =  clock  A  qO  —  qO{N  ..)  A  ql  =  ql  (90(0. .  .V  - 1)) 

A  A  cfi^  =  true  A  vqO —  vql  =  clock  —  clock  +  N), 

Q<k<N 

=  post{FSD0{^l)). 


I 

Is* 


PO(tI): 

{[  A  vq\<vqO<  clock  A  CLOCK,  ^0  A  VQ0,=0a 

50, :  ( clock,  ts,,  CLOCK,  :=  clock  +  I, clock  1, 1 ); 

{  /  A  <  vqO  <  /jj  <  clock  A  CLOCK,  =  1  A  V'^QO,  =  0  A  I'  Ql,  =  0} 

51, :  (ifu70+l  =  <jj  — »  z,,90,t;90,  V^^0,:=90(0),^0(l..),i3,,l  fi); 

{ I  A  vq\  <  ta,  <  vqO  <  clock  A  =  qO{tsi -{vqO V^QO^) 

0<k<N 

aCLOCK,  =  IA  VQ0,  =  IA  K(?1,=0} 

52, :  {if  U9I  +  1  =  /j,  — >  a!;,,<«,,l  fi); 

{  /  A  <  ti^O  <  clock  A  CLOCK,  =  1  A  VQO,  =  1  A  VQl,  =  1} 

53, :  (en<l(T')) 

{I  A  tsi  <  vql  <  vqO  <  clock  A  cf,  =  true  A  CLOCK,  =  1  A  VQOj  =  1A  VQl,  =  l} 
Figure  2.3:  Proof  Outline  PO(t'). 

Since  fQ,...,ffq_i  €  SER{  Tl), 

u;p(fo;...;fyv-i,  VI  =1  VI)  =>  V  ^  u;p(a,  VI  =  VI), 

aeSER{Tl) 

and  5£)0(S1)  can  be  inferred  from  (2.28)  using  the  Rule  of  Consequence. 

Finally,  we  must  show  that  execution  of  El  terminates  when  started  with  Cl  A  Vl  = 
VI.  Recedl  that  we  have  sissumed  concurrent  execution  of  transactions  to  be  weakly 
iedr.  The  following  lemma  provides  a  general  strategy  for  proving  termination  under 
this  assumption,  and  will  be  used  here  and  in  subsequent  examples. 

Lemma  2.4.2  (Termination  Under  Weak  Fairness)  If  concurrent  execution  of 
transactions  is  weakly  fair,  execution  of  any  database  system  E  will  terminate  if  the 
following  two  conditions  are  satisfied. 


Tl.  Every  execution  of  S  consists  of  a  bounded  number  of  atomic  opera¬ 


tions. 


T2.  As  long  £is  execution  of  E  has  not  terminated,  there  is  at  least  one 
enabled  atomic  operation. 


Proof  of  Lemma  2.4.2  Suppose  S  has  not  terminated.  Condition  T2  guarantees 
that  there  must  be  at  least  one  enabled  atomic  operation  5.  If  no  operation  runs,  then 
S  will  be  forever  delayed  in  spite  of  the  fact  that  it  is  enabled,  which  would  violate 
the  assumption  of  weak  fairness.  Thus,  some  operation  will  run  as  long  as  execution 
of  S  has  not  terminated.  Condition  Tl  states  that  there  is  a  bound  on  the  number  of 
operations  that  can  run  before  S  terminates.  From  this  it  follows  that  S  will  eventually 
terminate.  □ 


Thus,  we  can  prove  that  execution  of  El  terminates  when  started  with  Cl  A  VT  - 
VI  true  by  showing  that  execution  of  El  satisfies  conditions  Tl  and  T2  when  started 
with  Cl  A  VT  =  Fl  true. 

Theorem  2.4.3  Execution  of  El  satisfies  conditions  Tl  and  T2  of  Lemma  2.4.2  when 
started  with  Cl  A  V^l  =  FI  true.  □ 


Proof  of  Theorem  2.4.3  Since  each  t'  of  El  contains  only  four  atomic  operations 
and  does  not  contain  any  loops,  El  trivially  satisfies  condition  Tl.  Now,  we  show  that 
El  satisfies  condition  T2.  Suppose  execution  of  El  has  not  terminated.  Then  there 


I 


must  be  at  least  one  atomic  operation  S  such  that  control  point  preceding  5  has  been 
reached.  Suppose  that  5  is  50,  for  some  transaction  t'.  The  states  in  which  .90,  will 
run  to  completion  are  those  that  satisfy  wp{S0,,true).  Since 

u;p(50,,triic)  =  true, 

50,  will  be  enabled  when  it  is  reached.  Thus,  condition  T2  will  be  satisfied  when  50, 
has  been  reached. 

Suppose  that  51,  has  been  reached.  Note  that 

prc(5l,)  ^  (/I  A  l/(?0,  =  0), 

=>  I^Oj  >  0. 

Thus,  ^0  contains  at  least  one  element  when  51,  has  been  reached.  In  addition, 

pre(5lj)  =>  (13  A  vqO  <  clock), 

=>  {13  A  vqO  <  vq0  +  1  <clock), 

=  ((Vc:  vqO  <  V  <  clock: 

(3k:  0<k<N:  CLOCKS  =  1  A  VQOt  =  0  A  r  =  ts^)) 

A  vqO  <  r^O  +  1  <  clock). 

Since  vqO  <  r«70  +  1  <  clock  implies  that  v^O  +  1  satisfies  the  range  of  the  universal  quan¬ 
tifier  in  73,  the  quantified  expression  can  be  instantiated  with  v^O  +  1  substituted  for 
17.  Thus, 

pre(5l,)  =>  (3*:  0<i<  yV:  CiOCA't  =  1  A  TQOt  =0  A  v^O  +  1  =  Ijt)  A  1^01  0. 

It  follows  from  the  interpretation  of  7’57)0(Sl)  that  when  execution  of  Si  starts  with 
Cl  A  V\  —  V\  and  reaches  51,,  there  is  some  such  that  CLOCKS  -  1  A  V'^O^  -  0  ^ 
1790  +  1  =  134  A  I^O]  >0.  Since  CLOCK^  -  1  A  V'^O*  =0  implies  that  the  control  point 
before  5I4  has  been  reached  and 


(r^O  +  1  =  A  ^0|  ^  0)  ^  wp(S  I i^,tru€), 

then  Slji  in  will  be  enabled  when  51,  is  reached.  Thus,  condition  T2  will  be  satisfied 
when  51,  has  been  reached. 

Suppose  that  52,  has  been  reached.  Note  that 

pre(52,)  (/4  A  wgl  <  «^0), 

=>  (/3  A  w^l  <  ufll  -H  1  ^  W9O), 

=  ((V«:  <  «  <  u^O: 

(Bit:  0<  k  <  N:  V'QO^  =  1  A  l^  Ql^  =  0  A  r  - 
A«9l<w9l  +  1<  vqO). 

Since  <  u^l  -I- 1  <  «^0  implies  that  w^l  +  1  satisfies  the  range  of  the  universal  quan¬ 
tifier  in  14,  the  quantified  expression  can  be  instantiated  with  v^l  1  substituted  for 
V,  from  which  it  follows  that 


pre(52,)  =>■  {3k:  0  ±  k  <  N :  K^O^^IA  VQ\^  =  0  A  1  f  1  = 

It  follows  from  the  interpretation  of  FSD0{Ill)  that  when  execution  of  Si  starts  with 
Cl  A  VT  =  VI  and  reaches  52,,  there  is  some  transaction  such  that  TQOfc  —  1  A 
K^lj  —  0  A  v^l -I- 1  =  taj.  Since  =  1  A  — 0  implies  that  the  control  point 

before  52^  has  been  reached  and 


/'  -I- 1  =  =>  ti;p(524,(ruc), 

then  52^  in  will  be  enabled  when  52,  has  been  reached.  Thus  condition  T2  will  be 
satisfied  when  52,  has  been  reached. 

Finally,  suppose  that  53,  has  been  reached.  Since 


u;p(  53, ,  true )  =  true , 


53,  will  be  enabled  and  condition  T2  will  be  satisfied. 

Thus,  execution  of  El  satisfies  conditions  Tl  and  T2  of  Lemma  2.4.2  when  started 
with  Cl  A  VT  =  Tl  true,  and  consequently  will  terminate.  □ 

2.5  A  More  Tractable  Method 

The  preceding  example  El  with  Method  2.3.6  is  misleading  in  one  respect.  Because  of 
the  uniformity  of  transactions  in  Tl,  all  serializable  executions  of  El  leave  the  same 
vedues  in  ^0  and  ^1.  For  an  arbitrary  serializable  database  system  E,  however,  the  size 
of  assertions  in  the  proof  of  SDO(E)  can  be  proportionsd  to  the  number  of  different 

serial  schedules.  If  E  contains  N  transactions,  there  are  51  possible  serial 

Q<k<N^ 

schedules,  a  number  that  quickly  grows  intractably  large. 

A  more  tractable  method  of  proving  database  systems  serializable  in  Proof  Outline 
Logic  can  be  obtained  by  moving  shadow  transactions  from  the  postcondition  of  the 
proof  outline  into  the  transactions  themselves.  This  is  accomplished  by  constructing 
an  augmented  system.  For  E  =  (T,C,T,=),  let  E*  =  ( T*,  (7,  T*,=)  be  the  database 
system  in  which  V*  is  the  vector  obtained  by  concatenating  V  and  T,  and  T*  = 
{tq,  ..,r^_j}  is  a  set  of  augmented  transactions  in  which  each  t*  constructed^  by 
replacing  some  (5,)  in  Tj  by  (5,;fj). 

For  <T*  a  schedule  of  E*,  let  <t*\y  be  the  schedule  of  transactions  in  T  obtained 
by  deleting  the  operations  on  V  from  <r*,  and  let  |  p  be  the  schedule  obtained  by 
deleting  the  operations  on  V  from  <t*.  Note  that  <7*  ]  is  a  schedule  of  S  that  transforms 
variables  of  V  in  exactly  the  same  way  as  <7*,  and  <7*  |  ^  is  the  sequential  composition 
^ We  define  nested  angle  brackets  {...(5»)...)  to  be  equivalent  to  (...5*...). 
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of  shadow  transactions  that  contains  f,  if  and  only  if  r,  completes  in  c*  \  y.  If  each  r’ 
has  been  constructed  so  that  operation  runs  if  and  only  if  r,  completes,  then 

the  seriahzabihty  of  a*  |  p  will  follow  from  the  equivalence  of  V  and  V  after  <t’  runs. 

Theorem  2.5.1  (Schedule  Serializability  with  Proof  Outlines  II)  Let  S*  be 

an  augmented  system  for  database  system  —  {V  ,C ,  T,  =  )  in  which  each  t*  has  been 
constructed  so  that  (5,;t,  )  runs  if  and  only  if  r,  completes.  Let  a*  be  a  schedule  of 
S*.  If 

551(<t‘);  {C^V=V) 

<T* 

[V=V) 

is  valid,  then  <r*  1  v/  is  a  serializable  schedule  of  S.  □ 

Proof  of  Theorem  2.5.1  551(<t*)  is  valid  if  and  only  if 

[=(CaL=KA  u;p(<T*,<r«e))  =>  wp(<T*,  V  =  V).  (2.29) 

By  Lemma  2.3.4,  (7*  1 is  a  serializable  schedule  of  S  if  and  only  if 

(  C  A  K  =  K  A  wp{<T*  I  y  ,<rue))  =>  wp{a*  1 \f  wp{d',  V  =  K)).  (2.30) 

a£SER(f) 

Thus,  the  theorem  will  follow  if  it  can  be  shown  that  (2.29)  implies  (2.30).  This  is 
proven  as  follows. 

Since  V  and  V  are  disjoint,  every  operation  of  «r*|  y/  commutes  with  every  operation 
of  <T*|^.  From  this  it  follows  that 

^wp{a\R)<^wp{a*\y,<T*\^,R) 


for  any  predicate  R.  Due  to  this  and  Lemma  2.3.2,  (2.29)  if  and  only  if 


(•2.31) 


■--{(  '  V  -  V  A  wp{cr  ^.Jrut))  ^  wp(<T  y-,(T  ^.,V’  =  V’)- 

By  Lemma  2.3.3  ami  Predicate  Logic, 

wp{a*  Y  \cr‘  y,true)  :=>wp{ff'  y  ,wp(cr’ '  -  Jrue)), 

C5>  wp(<T* '  y  ,  true  A  wp(a*  '  ~  ,  true  )), 
w  wp{<T*  y ,  true )  A  xvp[a'  p ,  true ). 

Thus,  (2.31)  if  and  only  if 

t=  (  C  A  V  —  V'  A  wp{(T*  \  y  ^true)  A  wp{a* !  p,true)) 

Since  conjunction  is  commutative,  (2.32)  if  and  only  if 

[=  (  C  A  V'  =  K  A  wp{a* !  p,truc)  A  wp{<T*\  y,true)) 

^Wp{<T*\y-<T*\-,V=V). 

By  Predicate  Logic,  (C'A  V  =  V)=>  C^,  and  because  ff*|p>  is  a  serial 
shadow  transactions, 

Cp  u;p(<r*|  -  ,<rue). 

Thus, 

\={C  A  V—  V  A  wp[<T*  1  p.,<rue)  A  wp[a*  I  y,lrue)) 

{C  A  V  =  V  A  xup{cr*  I  ^,true)). 

Thus,  (2.33)  if  and  only  if 

j=  ( C  A  T  =  V  A  ii>p(<T*  I  y,true))  =>  t<;p(<r'  \y\cr*\  =  V). 

By  definition. 


(2.32) 


(2.33) 

schedule  of 


(2.34) 


i(;p(<r*|oi<r*!^,  V  ~  K)  <t=>  iup(<r*t  o,u>p(<T*|  r.,  V  =  L)). 


(2.35) 
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Thus,  (2.34)  if  and  only  if 

u=  ( C  A  V  ^  T  A  wp{<T* '  Y,true))  wp{a*  y,wp(cr*  ~. ,  T  =  T )). 

By  construction  of  T*,  SER{T).  From  this  it  follows  that 

=  y)  i  V  ^pi^,y  =  y)) 

^eSER(f) 

and  by  monotonicity  of  wp, 

Wp{(T*\y,Wp{(T*\-,V=V))=i-Wp{(T*'y,  \/  Wp{a,V=V)). 

aeSER{T) 

By  Predicate  Logic,  if  .4*  is  obtzuned  from  T  by  replacing  some  occurrence  of  B  by 
B' ,  and  \=  B  =>  B' ,  then  (=  T  =>  A' .  If  ^  T  =;■  A' ,  then  \=  A  implies  t=  .4^  From  this  it 
follows  that  (2.35)  implies 

1=  (C  A  F  =  F  A  u)p(<7-*|  =;- ujp(or*|  \J  wp{a,V  =  V)).  (2.36) 

ff>iSER{f) 

By  identity,  (2.36)  if  and  only  if  (2.30).  □ 

Theorem  2.5.1  can  be  extended  to  obtain  a  tractable  proof  outline  whose  validity 
implies  that  every  schedule  of  S  is  serializable. 

Theorem  2.5.2  (System  Serializability  with  Proof  Outlines  II)  Let  D*  be  an 

Augmented  system  for  S  in  which  each  t*  has  been  constructed  so  that  (5,  ;f, )  runs  if 
and  only  if  r,  completes.  S  is  a  serializable  system  if  execution  of  S*  terminates  when 
started  with  C  A  F  ==  F  true  and 

5D1(S*);  {C’aF=F} 

cobegin  I  coend 

{F=  F} 
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is  valid.  □ 

Proof  of  Theorem  2.5.2  Since  variables  V  do  not  occur  in  transactions  of  E,  exe¬ 
cution  of  S  terminates  when  started  with  C  true  if  execution  of  E*  terminates  when 
started  with  C  t\  V  —  V  true.  The  interpretation  of  proof  outlines  and  the  semantics 
of  cobegin  imply  that  5D  1(E*)  is  valid  if  and  only  if 

551(<t*):  {Ca  V  =V}a*{V  =V} 

is  valid  for  every  schedule  a*  of  E*.  By  Theorem  2.5.1,  the  validity  of  551(<7-*)  implies 
that  (T*  \  y  is  a  serializable  schedule.  Since  every  schedule  ct*  |  is  a  schedule  of  S,  the 
validity  of  SDI{11*)  implies  that  every  schedule  of  S  is  serializable,  and  the  theorem 
follows  by  Definition  2.2.2  of  a  serializable  system.  □ 

Theorem  2.5.2  serves  as  the  basis  for  a  simpler  method  of  proving  the  serializability 
of  a  database  system. 

Method  2.5.3  (Proving  System  Serializability  II)  To  prove  that  a  system  E  = 
{V ,C ,T ,  =  )  is  serializable: 

1.  Introduce  Shadow  Variables  and  TVansactions.  Define  shadow  variables 
V  and  construct  shadow  transactions  T  corresponding  to  the  variables  V  and 
and  transactions  T  of  E. 

2.  Form  Augmented  System.  Construct  an  augmented  system  E*  - 
(V*  ,C  ,T*  ,  =  )  in  which  one  operation  (5,)  in  each  r,  t  T  is  replaced  by 

and  f,  runs  if  and  only  if  t,  completes. 


3.  Prove  5D1(E*).  Prove  that 
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5/)l(E*);  {CAl/=V'} 

cobegin  Tq  1 1  ■■  ;  coend 

{V'  =  ?} 

is  valid. 

4.  Prove  Termination.  Prove  execution  of  E*  terminates  when  started  with  C  ‘ 
V  =V  true. 


□ 


2.6  Examples  of  the  Second  Method 

We  now  present  two  examples  that  use  Method  2.5.3  to  prove  serializability.  In  the 
first  example,  we  give  an  alternate  proof  that  El  of  Figure  2.2  is  serializable.  In  the 
second  example,  we  prove  that  replacing  equivalence  relation  =o  ^ 
reflects  the  semantics  of  a  different  application  results  in  a  databeise  system  that  is 
1  serializable  without  any  synchronization  at  all. 

2.6.1  An  Alternate  Proof  of  Serializability  for  El 

S 

I  As  the  first  step  of  Method  2.5.3,  we  define  shadow  variables 

VI:  qO,ql,XQ,...,Xf^^i,cf  Q,...,cf  clock,  vq0,vql,tso,...,t3 

I  corresponding  to  the  variables  of  V'l  and  construct  shadow  transactions 
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SI* 

Kl*  =  VI- VI, 

Tl*  =  {ro*,...,T^_i} 

T*  =  50, :  {  clock,  t3,  :=  clock  f  1 ,  c/ocife  +  1 ;  f ' ) ; 

51, :  ( if  +  1  = /j,  — ’  r,,90,V90:=  90(0),q0(  1  fi;; 

52, ;  (if  +  1  =  fi); 

53, :  {endir:)) 


Figure  2.4:  Augmented  Database  System  Si* 


T.: 


{ clock,  13,:  =  clock  +  I, clock  1)-, 


(if  t;90  +  1  =  tjj  — *  2j,50,t;90:=90(0),90(l..),ti,  fi); 

(if  ufll  +  1  =  ►  9l,u9l  :  =  9l  i,,<3,  fi); 

(end(f')) 

corresponding  to  each  t'. 

Next,  we  construct  the  augmented  system  Si*  of  Figure  2.4.  Each  r*  is  constructed 
from  Tj  by  replacing  50j  with  (50,;f, ).  In  this  position,  shadow  transactions  will 
execute  in  timestamp  order.  By  our  assumption  that  transactions  always  complete, 
50 j  is  reached  if  and  only  if  of  SI  completes,  as  required. 

Next,  we  prove  that 


5Z)l(Sr):  {ClAFl^n} 
cobegin  Tq  |  j  ■  •  • 
{Fl=i  Fi} 


I  ■’■Jv-i  coend 


a 


Is 


V 


> 


A 

J*, 


is  valid.  To  do  this,  we  first  construct  the  full  proof  outline 
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I 

I 

•li 


FSDl(n*): 

{CIA  Ki  =  7i} 

{lq\,clocKq,  k(?Oo,v'(?1o,.  .,clcca;v-i,  v'(?o.v-i,  1 

{/ A(Vik;  Q<k<N-.  0=  VQ\i^  =  VQOt  =  CLOCKk)} 
cobegin  PC(rQ)  II  ||  PO(rjy_j)  coend 

{90=90A^1=;91A  ^  cfi^  =  cf  1^  A  vqO  =  vqO /\  vql  =  vql  /\  clock  —  clock} 

0<k<_N 

where  each  PO{t*)  is  the  proof  outline  for  r*  that  shown  in  Figure  2.5.  Auxiliary 
variables  CLOCK^,  FQO,  and  FQl,  are  used  agaiin  to  indicate  when  r'  has  incremented 
clock,  vqO,  and  v^l,  respectively,  and  an  additional  auxiliary  variable  AQl  is  used  to 
record  the  initial  length*  of  9I. 

Each  assertion  contains  the  invariant 

/;  /OA/1  A/2A/3A/4. 

Here,  the  first  conjunct 

10:  c/^/b  =  =  A  (Vib:  0<ib<  /V:  0<  <  F(?0t  <  Ci CCA'*  i  1 ) 

A  clock  —  clock  A  vqO  +  Y)  CLOCK u  -  vqO  V]  K?0t 

0<4<Af  0<i<iV 

Avql+  E  CLOCKS  Z  VQh 

0<k<N  0<k<.  N 

specifies  that  clock,  and  V9I  remain  equal,  a  result  of  executing  shadow  transac¬ 
tions  atomically,  and  bounds  values  of  clock,  vqO  and  vf  I  in  terms  of  the  shadow  and 

auxiliary  variables.  The  second  conjunct 

^Note  that  consistency  constraint  Cl  does  not  imply  that  initially  f  1  is  empty. 


V 


II:  qO\  ^  .V  -  V  V'QOfc  A  'qQ\  ^N-  V  CLOCKk 

Q<k<N  0^i<JV 

az;(?i -OA  =  e  clocks 

Q<k<N 

^qO  =  [fH{LQ\+  r  KQOfc)..)!-^ 

0<k<N 

Q<k<N 

bounds  the  size  of  sequences  ^0,  qO  and  9I  and  specifies  in  terms  of  the  auxiliary 
variables  the  elements  that  have  been  transferred  from  qO  to  ^1.  The  third  conjunct 

12:  A  CLOCKh  =  1  =?•  <  clock 

0<k<f^ 

A  A  ( CLOCK.  =  1  A  CLOCKt  ^l)=>  ta.^  ts,, 

Q<j:^k<N 

specifies  that  different  transactions  choose  different  timestamps,  while  the  fourth  and 
fifth  conjuncts 


73:  (Vu:  v^O  <  v  <  clock:  (3/fc:  0<  k  <  N:  CLOCKj^  =  1  A  KQOfc  =  0  A  r  =  fa^)) 


14:  (Vv;  <  t;  <  u^O:  (3ifc:  0<  k  <  N:  =  1  A  =  0  A  •;  =  ta^)) 


specify  that  there  is  a  transaction  rj^  with  timestamp  fa^  =  v  for  every  value  v  between 
uq0  +  1  and  clock  or  between  + 1  and  vqQ. 

’  The  proof  F5/?1(E1*)  is  a  straightforward  application  of  the  axioms  and  rules  of 
Proof  Outline  Logic,  and  is  omitted  here.  57?1(E1*)  can  be  inferred  from  F57?l(El*) 
using  the  Assertion  Deletion  Rule  followed  by  the  Auxiliary  Variable  Deletion  Rule. 

Finally,  we  show  that  concurrent  execution  terminates  when  started  in  a  state 
satisfying  pre(5Dl(El*)).  This  proof  is  exactly  the  same  as  the  proof  of  termination 
in  Section  2.4,  so  we  will  not  repeat  it  here. 
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{I  Avql‘ivqO  _clock  /\  CLOCK,  =0  A  VQ0,^0A  l'(?l,=0} 

50, '.  { clock,  ts,,  CLOCK i  -.—  clock  +  I, clock  -t- 1 ,  l;fj ); 

{ /  A  <  is,  <  clock  A  CLOCK,  =  1  A  =  0  A  VQ\,  =0  A  cj ,  =  true} 

51, :  (if  t;gO+  1  =  ^  x,,qO,vqO,  V'^O, :=  ^0(0), 90(  1 1  fi); 

{  I  A  vql  <  is,  <  vqO  <  clock  A  X,  =  ql{LQ\  +  Is, —{vqO  +  [)  +  V 

_  0<i<jV 

A  CLOCK,  =  1  A  VQQ,  =  1  A  VQ\,  =  Q  AcJ,  =  true} 

52, :  +  V'Ql,:=9l  z,,^a,,lfi)i 

{I  A  t3{<  vq\  <  vqO  <  clock  A  CLOCK,  =  1  A  KQOj  =  1  A  V^Ql,  =  1  A  cf ,  =  true} 

53, :  {end{T[))  ^ 

[I  A  t3,<  vql  <  <  clock  A  CLOCKi  =  1  A  VQQ,  =  1  A  VQ\,  —  \  A  c},  =  c/,} 

Figure  2.5:  Proof  Outline  PO{t[). 

2.6.2  Sequence  Variables  with  Set  Semantics 

Database  systems  in  which  variables  are  instances  of  abstract  datatypes  are  considered 
in  [SS84|,  where  it  is  shown  that  by  ignoring  parts  of  the  state  that  do  not  produce 
visible  differences  in  the  values  of  the  abstract  datatypes  implemented,  a  larger  set  of 
schedules  can  be  considered  serializable.  This  view  of  serializability  can  be  formalized  in 
our  system  model  by  using  the  equivalence  relation.  We  illustrate  this  by  considering 

I* 

the  transactions  of  the  database  system  IXl  described  in  Section  2.1  in  a  context  in 
which  sequence  variables  qQ  and  are  viewed  as  implementing  3et3. 

Recall,  SO  models  an  application  in  which  a  series  of  independent  events  move 
elements  of  ^0  to  ql.  Suppose  ^0  and  9I  are  treated  as  unordered  collections  instead 
of  as  queues.  Database  system  S2  of  Figure  2.6  models  this  situation.  Note  that  the 
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S2-(r2,C2,T2,=2) 

V2  =  (90,9l,a^,...,2.V-i,c/o,...,c/^_l), 

6*2  =  ({^OlUl^l}  =  Q  A  1^01  ^  (#  i;  0<k^:N:  cfj^  false)), 

7’2  =  {To,...,r^_l}, 
t,-51.:  {x„q0-.  =  q0(0),q0{l..))-, 

52. :  (9l:=<7l-z.); 

53, :  {end{T,)) 

(  V2'  =2  ^'2»)  o  ({,0'}  =  {gO"}  A  {,!'}  =  {9l»}  A  ^  cfl^  =  cfl') 

0<k<N 


m 


:v 


[V; 


wj- 

V 

vV 


Figure  2.6:  Database  System  S2. 

variables  V2  and  transactions  T2  of  S2  are  the  same  as  FO  and  TO  of  SO.  However, 
the  consistency  constraint  CO  of  SO  has  been  replaced  by  the  weaker  constraint 

C2:  {<jO}U{?l}  =  Q  A  1^01  >  (#  k:  Q<k<N:  cfii  =  false) 

and  the  equivalence  relation  =o  has  been  replaced  by  the  weaker  relation 

(  K2'  =2  V2")  ^{{qO'}  =  {90"}  A  {gl'}  {gl"}  A  /\  cf I,  =  cf^) 

0<k<N 

to  reflect  that  the  order  of  elements  within  gO  and  gl  is  no  longer  signiflcant. 

For  any  initial  state  satisfying  C2,  any  schedule  <7-  of  72  will  leave  a  consistent  slate 
in  which  gO  and  gl  contain  the  same  elements  as  they  would  after  some  serial  schedule 
V,  although  a  and  a'  might  order  the  elements  of  gl  differently.  Consequently,  every 
schedule  of  S2  will  be  serializable  under  Definition  2.2.1,  as  is  easily  proven  using 
Method  2.5.3. 

First,  we  introduce  shadow  variables 
V2-.  (gO,gl,xoi -MiAf-itc/o.-Mc/yv-i) 
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S2‘-(r2*,C2,7’2%-2}, 

V'2‘  =  V^2F2, 

V  2  —  (^0,9l,iJo,.--,xv-i' 0 > •••'*'/ .V — 1 )  1 
r2*^{ro%-..,r;_,} 

T*  =  51,:  (z,,90:=^0(0),90(1..);t,); 

52, :  {q\:^qlx^)-, 

53, :  (en*f(r;)) 

Figure  2.7:  Augmented  Database  System  S2‘. 

and  construct  shadow  transactions 

f,:  (i,,90:  =  90(0),90(l..)); 

(^:  =  9l-x,); 

(end(f,)) 

for  each  rj  of  S2. 

Next,  we  construct  augmented  system  S2*  of  Figure  2.7. 

Next,  we  prove  that 

5Z?1(E2*):  {C2aF2=F2} 

cobegin  To*  II  -Hr;,  I  coend 

{V2=V2} 


jfi  v^llid.  This  follows  by  the  Assertion  Deletion  and  Auxiliary  Variable  Deletion  Rules 
from  the  v^^lidity  of  the  full  proof  outline 


ii!l 


POir;)-.  {/AD.  -{}} 

51. :  ;x.,90,D.:  =  <?0(0),90(l..),{90(0)};f,); 
{  /  A  D.  —  (x. }  A  c/,  =  true} 

52. :  (</l,D.--9l  ■x.,{}); 

{/a  D,  =  {}Ac/.  —  true  } 

53. :  (endir:)} 

{/AD.  =  {}Ac/.=c7,} 

Figure  2.8:  Proof  Outline  for  PO[t*)  for  t'  of  S2*. 

FSD\(T2'): 

{C2^  V'2=  F2} 

( Do,...,///V-i  :=  {}i  -  >{}); 


{/A  A  /)*  =  {}} 

Q<k<N 

cobegin  PO{tq)  ||  •••  |1  PO(Tjy_j)  coend 

{{?0}  =  {^}  A  {?!}  =  {?!}  A  A  c/t  =  c/i} 

0<t<Ar 


where  each  PO{t*)  is  the  proof  outline  for  r*  given  in  Figure  2.8.  Auxiliary  variables 
D,  have  been  added  to  indicate  the  elements  of  Q  that  have  been  deleted  from  9O  but 
not  yet  added  to  9I.  Each  assertion  contains  the  invariant 


/:  qO  =  qOA{{ql}U  |J  /?i)  =  {9I }  A  I9OI  ^  ( #  *:  0  <  *  <  *V:  c/t  - /a/je ). 
0<k<  V 

The  proof  of  F5D1(E2*)  is  straightforward  and  therefore  is  omitted  here.  From 
F’5D1(S2*),  5D1(E2*)  can  be  inferred  by  applying  the  Assertion  Deletion  Rule  followed 
by  the  Auxiliary  Variable  Deletion  Rule. 

Finally,  we  must  show  that  execution  of  S2*  terminates  when  started  with  C2  a 
V2  =  V2  true.  To  do  this,  we  use  Lemma  2.4.2,  which  states  that  under  the  assumption 
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1 

1 

that  concurrent  execution  of  transactions  is  weakly  fair,  execution  of  S2*  will  terminate  j 

I 

if  conditions  T1  and  T2  are  satisfied.  I 

I 

! 

Theorem  2.6.1  When  started  with  C2  A  ^2  —  V'2  true,  execution  of  S2*  satisfies  con¬ 
ditions  Tl  and  T2.  □ 

Proof  of  Theorem  2.6.1  Since  each  r,  of  S2*  contains  only  four  atomic  operations 
and  does  not  contain  any  loops,  execution  of  S2  trivieiUy  satisfies  condition  Tl. 

Suppose  that  execution  of  112*  has  not  terminated.  Then  there  must  be  at  least 
one  atomic  operation  5  such  that  control  point  preceding  5  has  been  reached.  Since 
FSDl{Y2*)  is  valid,  pre{S)  will  be  true  when  S  is  reached.  Since 

pre(S)  =>  wp{S,true) 

for  every  5  in  F5Z?  1(S2*),  then  5  will  be  enabled  when  it  is  reached,  and  condition 
T2  will  be  satisfied.  □ 

2.7  Incompleteness  of  the  Second  Method  for 
Proving  Serializability 

The  characterization  of  serializability  in  terms  of  proof  outlines  given  by  Theorem  2.3.5 
(s  complete.  This  is  because  the  property  that  database  system  5]  is  serializable  is 
equivalent  to  the  properties  specified  by  the  theorem’s  hypotheses,  namely  (i)  5Z10(S) 
is  a  valid  proof  outline  and  (ii)  execution  of  S  begun  in  a  state  satisfying  prc(5D0(Il)) 
is  guaranteed  to  terminate.  Because  it  is  derived  from  Theorem  2.3.5,  Method  2.3.6 
for  proving  the  serializability  of  database  systems  is  complete  relative  to  the  method 
with  which  validity  of  SDQ(T,)  and  termination  of  S  are  proven. 


S3  =  (r3,r3,T3,S3) 

K3  =  (xo,2i,X2,X3,rxo,rii,ri2,c/o,c/,,c/2), 

C3  =  true , 

73  =  {to,ti,T2}, 
r,=  5l,:  {rz^:=z^)-, 

52, ;  (z,  —  rz,  +  1 ) , 

53, ;  (end(T,)) 

(V'3'^3  l/3")«(K3'=  V'3"). 

Figure  2.9;  Database  System  S3. 

In  contr2ist,  the  characterization  of  serializability  in  terms  of  proof  outline  that  is 
given  by  Theorem  2.5.2  is  not  complete — there  are  serializable  database  systems  S  for 
which  it  is  not  possible  to  construct  an  augmented  system  S*  such  that  5Z)1(S*)  is 
valid.  For  such  systems,  it  will  be  impossible  to  use  Method  2.5.3  to  prove  serializability. 
An  example  of  such  a  system  is  E3  of  Figure  2.9. 

13  is  serializable,  but  there  is  no  way  to  construct  an  augmented  system  S3*  such 
that  5£>1(S3*)  is  valid.  To  see  this,  assume  the  contrary.  Thus,  assume  there  is  an 
augmented  system  S3*  for  which  5Z?1(S3*)  is  valid.  Consider  the  schedule 

(t1*  ■.  5lo;-Sli;52oi53o;5l2 ;  52i;53i;522;532 

« 

of  S3*.  In  <r7*,  note  that  5li,  which  reads  zj,  precedes  52o,  which  writes  zj.  Conse¬ 
quently,  rzi  will  be  left  holding  the  initial  value  of  z\.  Likewise,  512,  which  reads  Z2, 
precedes  52i,  which  writes  Z2,  and  so  rz2  will  be  left  holding  the  initial  value  of  Z2. 
From  the  validity  of  5Z?1(S3*)  and  the  interpretation  of  proof  outlines,  it  follows 
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{C3A  r3=  V'3}<t7’{  K3=  V'3}  (2.37) 

is  valid.  This  implies  that  shadow  transactions  tq,  and  in  <t7*  run  in  an  order 
that  leaves  7?^  and  fx2  storing  the  initial  values  of  and  x^,  respectively. 

Since  the  last  operation  of  Tq  precedes  the  first  operation  of  in  <t7*,  tq  will  run 
before  r2,  regardless  of  how  the  augmented  system  S3*  is  constructed.  Thus,  ^ 
must  be  one  of  the  schedules  fo;f2;fi,  Tio;Ti;f2  or  Ti;fo;f2.  In  the  first  and  second 
cases,  fx\  will  be  left  holding  a  vzdue  one  greater  than  the  initial  value  of  while 
in  the  third  case,  will  be  left  holding  a  value  one  greater  than  the  initial  value  of 
X2-  This  contradicts  the  values  of  fij  and  f*2  inferred  from  the  validity  of  5Z>1(S3*). 
Thus,  5Z)1(S3*)  cannot  be  valid. 

Incompleteness  of  Method  2.5.3  arises  because  shadow  transactions  can  model  only 
limited  serial  behavior  when  they  are  used  to  construct  an  augmented  system.  In 
any  schedule  <r*  of  an  augmented  system  E*,  each  shadow  transaction  f,  runs  during 
execution  of  the  augmented  transaction  t*  that  contains  it.  If  t*  and  t*  do  not 
interleave  with  each  other  in  <t*,  then  the  order  in  which  f,  and  fj  run  will  be  the 
same  as  that  of  r,*  and  t*.  For  this  reason,  the  proof  outbne  5i)l(S*)  of  Method  2.5.3 
specifies  that  every  schedule  a  of  the  original  system  E  behaves  like  a  serial  schedule 
o'  in  which  the  order  of  transactions  is  consistent  with  the  order  of  non-interleaved 
transaction  in  o.  Database  system  E3  demonstrates  that  not  every  serializable  database 
system  satisfies  this  property,  and  consequently  not  every  database  system  can  be 
proven  serializable  using  Method  2.5.3.  In  spite  of  this,  the  tractability  Method  2.5.3 
compared  to  Method  2.3.6  makes  in  preferable  in  situations  where  it  suffices. 
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2.8  Discussion 

2.8.1  Comparing  System  Models 

By  constructing  transactions  from  appropriately  chosen  atomic  operations,  the  system 
model  presented  in  Section  2.1  can  model  any  of  the  database  system  models  described 
in  Section  1.3.  For  example,  a  system  implementing  read  and  write  operations  such 
as  those  used  to  construct  the  transactions  of  Figure  1.1  can  be  modeled  by  using  an 
atomic  operation  (<;  =  a[i])  to  denote  each  read  operation  r(a[tj,i)  and  (a[i]:  =  e)  to 
denote  each  write  operation  tu(a[j),e). 

Explicit  synchronization  is  represented  in  our  database  system  model  by  includ¬ 
ing  synchronizing  operations  among  the  atomic  operations  from  which  transactions 
are  constructed.  Implicit  synchronization  is  modeled  in  one  of  two  ways:  either  by 
introducing  a  scheduler  process  to  which  transactions  make  operation  requests,  or  by 
modifying  transaction  operations  to  perform  the  function  of  the  scheduler  themselves. 
This  second  approach  was  illustrated  in  Section  2.4,  when  the  synchronized  database 
system  Si  was  constructed  from  SO. 

2.8.2  Comparing  Definitions  of  Serializability 

in  Section  1.3,  we  divided  definitions  of  serializability  into  two  classes,  those  character¬ 
izing  schedule  behavior  in  terms  of  conflict  relations  and  those  characterizing  it  in  terms 
of  state  transformations.  Definitions  2.2.1  and  2.2.2  generalize  in  two  ways  definitions 
in  the  second  class.  One  generalization  results  from  the  inclusion  of  the  equivalence 
relation  for  database  system  state  equality.  This  allows  various  criteria  by  which  previ¬ 
ous  definitions  of  serializability  compare  system  states  to  be  represented.  For  example. 
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S4  =  (V'4,C4,T4,=4) 

V4  =  (z,y,6,z,c/o,c/i), 

C4  =  (x  +  y  =  1000), 

T4  =  {To,ri} 

ro=  41:  (if  6  — »  j/:  =  y  +  17Q-’6  — ►  x:  =  x-17fi); 

42:  (if  i  ^  z:  =  x-170-i  -  y:=y+ 17fi); 

43:  (en<f(To)} 

ti  =  B1:  {z-.^x); 

52:  {end{Ti)) 

(  VA'  =4  V4")  ^  {x'  =  x”  A  y'  =  y"  A  b' =  b"  A  z'  =  z"  A  cf^  =  c/q"  A  c/,'  =  c//') 
Figure  2.10:  Database  System  S4. 

final-state  serializability  can  be  represented  by  Definition  2.2.2  by  choosing  =  so  that 
V'  =  V"  if  and  only  if  V'  and  V"  agree  on  the  final  values  of  every  shared  variable 
of  the  system;  view  serializability  can  be  represented  by  adding  auxiliary  variables  to 
transactions  to  record  the  value  obtained  by  read  operations  and  choosing  =  so  that 
V'  =  V"  if  and  only  if  V  and  V"  agree  on  the  final  values  of  both  the  shared  variables 
and  the  added  auxiliary  variables. 

A  second  source  of  generality  in  Definitions  2.2.1  and  2.2.2  results  from  the  use 
of  wp  to  compare  the  way  in  which  schedules  transform  the  system  from  one  state 
to  another.  A  schedule  that  is  final-state  or  view  serializable  is  required  to  “behave 
like”  a  particular  serial  schedule;  a  schedule  serializable  according  to  Definition  2.2.1 
is  allowed  to  “behave  like”  different  serial  schedules  depending  on  the  initial  state.  To 
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Schedule  <t8  is  neither  final  state  nor  view  serializable  because  neither  <r9  nor  <rlO 
individually  produces  the  same  final  state  as  trS  for  every  consistent  initial  state.  In 
particular,  <r8  produces  different  values  of  z  depending  on  whether  b  -  true  or  b  -  false 
initieiUy. 

According  to  Definition  2.2.1,  <r8  is  serializable  if  and  only  if 

[=  ( C4  A  wp{(TS,  VA  =4  V^4))  =>  (u;p(<7-9,  VA  =4  VA)  V  wp{<7]0,  V’4  =4  14)).  (2.38) 

Computing  U7p(o-9,  V'4  =4  VA)  and  U)p(<rl0,  V'4  H4  VA)  using  the  rules  of  Appendix  B 
gives 

u;p(<t9,  K4  =4  VA) 

=  (z-17  =  iAy-t-17  =  yA6  =  iAi-17  =  zA  true  =  c/g  A  true  =  c/  j ) 

and 

ujp(<rlO,  V'4  =4  VA) 

=  (z-17  =  iAy-t-17-yA6  =  6Az=iA  true  =  c/g  A  true  -  c/| ). 


Computing  ii;p(<T8,  V  4  =4  14)  gives 


. .  1 1  1  1 1  1  T  •  -  ~ri  1 1 1 — - - 


-f~J>  -Jl’.k  ->  ->  V' 
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wp{(TS,  1’4  V’4) 

=  [(6^(x-17  =  iAy+17  =  yA6  =  6Ax=5A  <rue  =  c/g  ,A  true  =  c/  j ) 
A(^6=:(x-17  =  iAy  +  I7  =  j/^6  —  6Az-17  —  iA 

<rue  =  c/o  A  iruc  =  c/ 1 )], 

=  [(6  u)p(<TlO,  V'4  =4  V'4))  A  (  =•  wp{(t9,  1'4  =4  V'4))|. 

For  any  predicates  P  and  Q,  it  follows  tautologically  that 

lC4A{b^P)Ai^b^Q)\^{P-yQ]. 

Taking  P  to  be  u>p(<rlO,  V'4  =4  F4)  and  Q  to  be  wp{cr9,  V'4  =4  V'4),  (2.38)  follows  triv¬ 
ially.  Thus,  (t8  is  serializable  according  to  Definition  2.2.1. 

One  previous  definition  of  serializability  that  is  similar  to  ours  can  be  found  in 
[C81|.  Like  Definition  2.2.2,  the  definition  of  [C81|  characterizes  system  behavior  by 
the  way  in  which  the  system  state  is  transformed.  Our  definition  and  that  of  [C8II 
also  share  the  property  that  final  states  are  compared  using  an  equivalence  relation  on 
states,  although  the  equivalence  relations  that  can  be  specified  in  [C81|  are  limited  to 
those  having  the  form 

(  V'  E  V")^(U'  =  U") 

for  some  vector  of  variables  U  containing  a  subset  of  those  appearing  in  V.  subset  of 
<hose  that  can  be  specified  in  our  definition. 

However,  a  more  significant  difference  between  the  two  definitions  of  serializability 
is  in  the  formalism  chosen  to  describe  the  way  in  which  concurrent  execution  trans¬ 
forms  the  system  from  one  state  to  another.  Instead  of  using  wp  to  describe  program 
semantics  as  we  do  here,  the  definition  of  C'81  uses  an  extension  of  Dynamic  Logic 
FL79,H79  railed  ('oncurrent  Dynamic  Logic  P87  to  reason  formally  about  concur- 
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Chapter  3 


Deriving  Locking  Protocols 


I  sln(^  M**!  hixi  2  ■{  h  nr  M^l  hixl  J  '»  t  .,f  <  2  •»  »  h»l  <l  lut  .1  r  II 

srnaijzablr  is  partiti<)n<*<i  mtn  <t  prixif  -  if  4  ■tafnv  i>ar(iai  ■  pifm  iiir-»»  .j,,  , 

by  Sl){\{'L\  i.r  V/;i(L‘  I'  ilflii  4  pfiMif  *if  4  pfiip»*r*,  *^firiiii4li(tii  \ 


sp»"rifyirin  thr  laf^lv  pruprrt^  4ss<xmtr.|  4i'ii  ■.••ri4,i/4iM.|i  > 


4>  4  ;  I  r  •  ' 


il  b**<iifiirs  possibir  lo  verify  forriiallv  •,  v 'x  M  r- .11 1/41  x  x,  •,,r.,i,,,  ,,v 


In  this  iliaptrr.  wr  illnstrair  4  ■■fi,.*ii  .1  ,,4r'x  .. 


lull*  ’ll  ' 


ability  in  this  wav  tli**  ability  t..  .  1,.  >,  r- .1, ,  /  4! ,1 


iisiiiK  I  iblinat  mns  that  aris^  in  ifir  .t  .r •  ir-\s  ' 

iyni  hronizini^  up^rations  Wr  <tart  wnx  4  a»-ii»-f4  iis. 


I  r  ■  .  I  '  .  4  '  '  'X  I  I  >  ,  .  I 


I  ’-.a 


mpjirr itifnts  ■  an  br  .jrnvrtl  whik  •  > .ii>i  ^  i- '  ■  i,*  4  x 


assrrlionai  <  harai  trrizatinn  •>{  .ixkina  'iia’  4.x  ■<, 


•  S  sr-  ■  »  » 1  ♦  ^  f  '  I  f  1  :  /  <%  '  •  .  t  '  « I  I  I  r  ♦ 


ti)  bf  sallshrij  by  nsiiiK  .ixkiliK  ■  ili»T4i  •  .1. - 


3.1  Proofs  of  Concurrent  Programs 

I  ilif  »p»TiHc  problem  of  (lerivmj^  synchronization  to  ensure  serializ- 

aiiilitv  of  lialahase  systems,  we  first  examine  how  proof  outlines  for  concurrent  pro- 
f^rams  are  (onstru<  le«l  .Note  that  both  .*>/J()(h^)  of  .Method  2..)  6  and  )  of 

Met  find  J  ')  .1  have  the  neneraJ  form 

.  {  (^ }  cobegin  r„  |  coend  ( -H  I 

In  I'roof  Outline  Logic,  PO('ii  is  mferre.i  m  two  steps  First,  the  cobegin  Rule 
Mimman/ed  with  other  rules  and  axioms  of  }’ro<»f  Outline  Logic  in  Appendix  .A  i  is 


ati(iiied  to  otiiaiii  a  full  proof  outline 


A  /'Oi  L  '  I  1  cobegin  t„  i 


/'0(  f  ^  I  1  coend  (  /t } 


e  \,seftioii  lleletioii  Rule  is  applied  to  delete  i iiterilieiliate  assertions  froii 


//'in'  ■  .til  ai  ii  ft/' 

'  'o  riibegin  It  lie  re.,,,ire>  A  fUh  '  ,  -a'  isfv  ton  r  'i  v  pol  lieses  I  he  lust  li  v  p..l  (if  si 

.  •  .  I  <  r  .  •  ||  a’  '  a<  f  <  / '  ',  t  ,r  if  >  a  vail- 1  proof  ■  .ul  line 


H  i‘i> 


l'(h  are  .aii't  pr-fol  ..ilune. 


I,r  ..-.0(1.1  I.  1  |io(  lirsi*  of  'tie  cohegin  oe  ei.H.jfr.  'Iial  t  fie  r  e.  o|| .  1 1 1  lo  11  of  .-ai' 


)'(/  .  «ii]  Ur  if.je  alien  ■..loufretii  eir.  .tar*' 


//  .’  V  per  /'!/ 


//  a  .  ..  ...  ,  f  r  ••1,1  .  «e.  -1 1  loll  '  >0  11 .  1 1  a'  • 


'  I  I  ■  a.  I-  /’It  ", 


//3:  {post{PO{T(j))  A  ...  A  pOst(FO(Ty_i)}}  =:■  R. 


The  last  hypothesis  of  the  cobegin  Rule  is  caUed  interference  freedom  'OG76|.  For  q 
an  atomic  operation  and  A  an  assertion  in  FPO(E),  a  is  parallel  to  .4  (denoted  q  11  .4) 
if  a  occurs  in  one  transaction  and  .4  occurs  in  the  proof  outline  of  another.  Interference 
freedom  ensures  that  no  atomic  operation  invalidates  an  assertion  to  which  it  is  parallel: 

H  A:  (Va,.4:  a  "  .4:  .V/(a,.4):  {pre(a)  A  T }  a  {  A }). 

When  .V/(a,.4)  is  not  vjilid  for  some  a  pareiiiel  to  ^4,  we  say  that  a  interferes  with  A. 

.\  full  proof  outline  satisfying  the  hypotheses  of  the  cobegin  Rule  can  be  con¬ 
structed  by  a  step-wise  derivation  in  which  sequential  proof  outlines  are  chosen  to 
satisfy  some  of  the  hypotheses  initially,  and  are  transformed  in  a  series  of  steps  until 
they  satisfy  the  remaining  hypotheses  S.487  . 

Method  3.1.1  (Deriving  Full  Proof  Outlines)  To  derive  a  full  proof  outline 
(  y  )  cobegin  To)  R(){t\  i)coend{/i} 

that  lalishes  the  hyp»ilheses  of  the  cobegin  Rule,  do  the  following. 

1  Construct  Sequential  Proof  Outlines,  ('onstruct  valid  sequential  proof  out¬ 
lines  ,Pf){Ty  |)  III  satisfying  hypotheses  Hi  and  H2. 

2  Eliminate  Interference.  While  hypothesis  H  1  remains  unsatisfied,  do  the  fol¬ 
lowing 

iai  Knuinerate  and  rlieik  the  interference  freedom  formulas. 

lb)  (  hoose  an  invalnl  .V7  (<»,  4 )  for  <»  in  PO{T^)  and  .4  in  PO(Tj)  and  do  one  of 


•  Strengthen  prc(a).  Replace  pre(a)  by  a  stronger  assertion*  pre(tt)' 
such  that  the  interference  freedom  formula  {pre(a)'  A  ^}q{/1}  is  valid, 
strengthening  assertions  that  precede  prt{a)'  as  necessary  to  ensure 
that  PO{T^)  remains  valid. 

•  Weaken  A.  Replace  i4  by  a  weaker  assertion^  .4*  such  that  the  interfer¬ 
ence  freedom  formula  {pre(a)  A  A'}a{A'}  is  valid,  weakening  assertions 
the  follow  A'  eis  necessary  to  ensure  PO(tj)  remains  valid. 

3.  Check  that  the  resulting  proof  outlines  satisfy  hypothesis  H3. 


3.2  Interference  and  Synchronization 


Even  when  PO{Tf)  of  Equation  3.1  is  not  valid,  it  is  often  possible  to  derive  synchro¬ 
nization  that  ensures  that  PO{T.)  is  valid  by  examining  where  constructing  FPOi'H) 
with  Method  3.1.1  fails. 

It  will  always  be  possible  to  construct  proof  outlines  PO(to),.  . . ,  FO(T;y  )  that 
satisfy  hypotheses  HI  and  H2  as  specified  by  the  first  step  of  the  method.  Suppose 
■that  in  the  second  step,  an  invalid  triple  NI{a,A)  for  a  in  PO{t,)  and  A  in  PO(tj) 
is  discovered.  Two  options  are  available:  replacing  pre(Q)  by  the  stronger  assertion 
pre(a)  A  (->4  V  wp(a,A))  or  replacing  A  by  the  weaker  assertion  A  V  post(a).  However, 
the  other  hypotheses  of  the  cobegin  Rule  effectively  limit  the  strength  of  pre(a)  and 


'pre(Q)'  is  stronger  than  pre(a)  if  pre(a)'  =>  pee(o)  and  pre(a)  p  prefo)' 
^  A'  is  weaker  than  4  if  ,4  =>  ,4'  and  4'  p  A. 
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the  weakness  of  .4. 

In  particular,  hypothesis  H2  limits  how  strong  prt{  POiT,))  can  be  made  Because 
HI  requires  PO(Tf)  to  remain  valid,  the  strength  of  prf(  P(){t,))  effectively  limits  the 
strength  of  pre{a)  and  other  assertions  that  follow  pre( /’<7(t,)).  In  a  similar  rnatiiier. 
hypothesis  H3  limits  how  weak  post{PO{rj))  can  be  made,  and  consequently  how  weak 
A  and  other  assertions  preceding  post(PO(Tj))  can  be  made.  Because  of  these  limita 
tions,  it  is  possible  to  reach  a  point  in  Method  3.1.1  at  which  an  invalid  mlerfereiue 
freedom  formula  NI{a,A)  has  been  identified,  but  pre(a)  cannot  strengthened  or  4 
weakened  enough  to  eliminate  this  interference  without  making  it  impossible  to  satisfy 
one  of  the  hypotheses  Hi  through  H3. 

Such  conflicts  can  be  overcome  if  a  method  of  selectively  strengthening  assertions 
can  be  found.  With  such  a  method,  prefa)  could  be  strengthened  enough  to  eliiiii 
nate  interference  while  assertions  that  precede  it  are  left  weak  enough  to  ensure  that 
other  hypotheses  remain  satisfied.  Likewise,  4  could  be  rnaile  weak  enough  to  ehiiii 
nate  interference  while  assertions  that  follow  ,4  are  strengthened  to  ensure  that  other 
hypotheses  remain  satisfied. 

In  the  remainder  of  this  chapter,  we  will  demonstrate  how  locking  can  be  used  to 
implement  synchronization  required  to  do  this.  We  first  show  how  locking  can  be  used 
to  ensure  that  concurrent  execution  of  transactions  preserves  a  certain  type  of  invari 
ant,  called  an  exclusion  invananf.  We  then  show  how  the  problem  of  strengthening 
assertions  selectively  can  be  reduced  to  one  of  preserving  invariants  of  this  type 
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3.3  Exclusion  Invariants 

A  Ux'king  pn^tocol  A  can  be  specified  as  a  triple  M  ,L(\R  ,  wliere  M  is  a  set  of  lo(  k 
iiiixies,  i('  is  the  lock  conipatibilily  relation  on  these  modes,  and  R  is  the  set  of  rules 
that  transactions  must  ft)Uow  when  acquiring  and  releasing  locks.  A  lock  with  mode 
"M"  is  denoted  y  .  I.ocking  protocols  described  in  the  literature  often  use  locks  that 
are  associated  with  system  variables.  In  read  write  locking  protocols,  for  example,  each 
read  or  write  lock  is  associated  with  a  particular  variable  or  set  of  variables.  l,ocks 
associated  with  variables  can  be  formulated  in  our  notation  by  including  associated 
variables  in  the  mode  of  the  lock.  For  example,  read  and  write  locks  on  x  can  be 
denoted  ^  /j(,)|  »nd  respectively. 

The  set  of  locks  held  by  a  transaction  r,  is  denoted  /j,.  Lock  compatibility  relation 
LC  IS  a  predicate  on  the  lock  sets  of  the  transactions  of  L.  To  add  locks  to  /j,,  r, 
acquim  them  with  the  operation 

Vo,'  ■ 

and  to  remove  locks  from  fs,,  r,  releases  them  with  the  operation 

rellf 

The  predicate 

is  true  if  and  only  if  t,  has  acquired  locks  released  them. 

.A  database  system  synchronized  with  a  locking  protocol  can  be  denoted  by  a  pair 
A,!:;.  Here,  \  =  {M,LC,R)  is  locking  protocol  and  I,  =  [V ,C ,T is  a  database 


k 

V 


V- V 


VA'.»-  'A'L^  ■'*  > » ^  *'■  '>  *>  ’•*  V.v.-A  /.  f.  >>■.  >v  riFvy 
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systetii  siH  li  that  I  <'(iiitaiti.s  th**  lock  s**t  /j,  f»»r  **ach  traiisai  lioti  r,  •  /'.  ('  .  l.C  and 

each  transaction  r,  •  T  follows  the  rules  of  R 

I  he  liM'al  ftatr  of  a  transaction  r,  is  the  part  of  the  system  state  that  only  r,  i  an 
mollify  For  example,  variables  that  only  f,  can  modify  are  components  of  the  local 
state  of  T,.  as  is  the  value  of  the  prof^ram  counter  of  r,  A  predn  ate  /, /’  is  /oral  to  r, 
if  i/'  IS  a  predicate  on  the  local  state  of  r,. 

An  f'zcfu.iion  intiurtant  is  a  predicate  of  the  form 

\7  il.r-l.Q), 

where  LP  and  l.Q  are  predicates  local  to  «litferenl  transactions  t,  and  ,  respectively 
Locking  implements  synchronization  that  prevents  sections  of  different  transactions 
from  interleaving  with  each  other  If  we  view  locking  tissertionaJly,  locking  protomls 
can  he  used  to  preserve  exclusion  invariants  I'his  is  accomplished  hy  giving  modes  and 
rules  that  couple  the  h  al  stale  of  transactions  to  the  sets  of  hx  ks  they  hold,  and  lock 
compatibility  relations  that  provide  the  necessary  exclusion  The  following  theorem 
suggests  a  way  to  do  this. 

Theorem  3.3.1  Let  LP  and  LQ  be  local  predicates  of  transactions  r,  and  Tj  of 
and  let  “.V/0”  and  “.V/1”  be  modes  of  the  locking  protocol  A  of  ^  Then 


and 


LP  ^  Is,  ->  {^1  A/oi } ’ 
LQ  ^  ^  {^1 M 1) } 


{3.4) 


(3.5) 


jT : 

I 


i 
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imply 


{LP  ^  LQ). 


□ 

Proof  of  Theorem  3.3.1  By  Predicate  Logic.  (3. 3)  and  (3.4)  imply 
(LP  ^  LQ)  ^  .  })■ 

Since  .4  :  B  if  and  only  if  B  .4,  (3.6)  implies 

^  ^  .  {'*/!!})  -  *  l-Q) 

Prom  this  it  follows  that  (3  3),  (3.4)  and  (3.5)  imply 
(LP  '  LQ) 


□ 

From  Theorem  3  3.1  follows  a  method  for  using  locking  to  guarantee  an  exclusion 
invariant. 

Method  3.3.2  (Guaranteeing  Exclusion  Invariants)  Let  1!  be  a  database  sys 
tern  synchronized  under  locking  protocol  A  -  M ,  L(\  R  ,  and  let  LP  and  LQ  he  local 
predicates  of  transactions  r,  and  Tj,  respectively,  of  )2  The  transactions  of  I]  can  be 
synchronized  to  ensure  that 


XI.  (LP  ^  LQ) 
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remains  true  by  doing  the  following. 

1.  Introduce  Lock  Modes.  Add  new  lock  modes  “.V/0”  and  “A/1”  to  A/. 

2.  Strengthen  Lock  Compatibility.  Strengthen  LC  so  that 

LC  -•  -(/j,  5  {/[Afoj}  ^  ^ 

3.  Strengthen  Rules.  Add  rules  to  R  that  ensure  that 

LPI:  LP 

and 

LQI:  LQ 

remain  true  at  ail  times. 

□ 

3.4  Using  Locking  to  Strengthen  Assertions 
Selectively 

We  now  return  to  our  original  goal,  which  was  to  synchronize  transactions  so  that  an 
-.^sertion  P  in  a  proof  outline  PO{t,)  can  be  strengthened  selectively.  Without  loss 
of  generality,  assume  that  P  is  to  be  replaced  by  a  stronger  assertion  P'  such  that 
P'  (P  A  B).  For  certain  choices  of  B,  the  problem  of  replacing  P  by  P'  can  be 
reduced  to  one  of  guaranteeing  a  set  of  exclusion  invariants,  as  we  now  show. 

Lemma  3.4.1  Let 
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FPO(E):  {  Q}  cobegin  PO(Tfj} /’O(rv-i)  coend  {/?} 

be  a  full  proof  outline  for  a  database  system  S  and  let  P  be  an  assertion  in  one  of  the 
PO{t^).  Let  LP  be  a  predicate  local  to  t,  such  that 

P  ^  LP  (3.7) 

and  for  each  0  j  /  »  ,V  let  Z.  be  a  predicate  local  to  such  that 

(5v  V  ^Q,)  (3-8) 

.V 

Then 

(PA  /\  HLP  ^  LQj))^{P  ^B). 

O'  }  ft'  .V 

□ 

Proof  of  Lemma  3.4.1  From  (3.7)  and  (3.8)  it  follows  that 

P^-.{LPr.(Bv  V  (^■^) 

0'_}^K  N 

Since  conjunction  distributes  over  disjunction,  (3.9)  implies 

P->{{LPaB)w  V  {LP  MQj))  (3.10) 

0<j^\‘  N 

Because 

(  V  {lpmq,))»-{  a  -{lpmQj)) 

0^_}^%<N  0';_}^%-  N 

and  because  disjunction  is  commutative,  (3.10)  is  equivalent  to 

P^ii  A  ^  LQj))y  {LP  r.  B)).  (3,11) 

0<_^}^i<  N 


By  Predicate  Logic,  (3.11)  is  equivalent  to 

(P  '  A  {LP  '  LQj))  :  \LP  ■  H). 

{)  j  f  t  \ 

from  which  it  follows  that 


(P  ^  A  (I.P  '  I.QjW  ■  H  :i  :2 

0  S' 

Because  P  appears  in  the  antecedent  <>f  ( il  121  and  P  .  P,  (3  12i  iriqdies 

(P  A  A  (LP  •  LQ,))  :  (P  •  H) 

U  .V 


Provided  local  predicates  LP  and  LQj  satisfying  hypotheses  i3  7i  and  '  3  i  i  an  l>c 
found,  Method  3.il.2  can  be  used  to  strengthen  P  with  each  of  the  exi  lusioii  invanani' 
(LP  LQj).  The  resulting  assertion  P'  will  imply  P  '  A  'IP  IQ)'-  ‘^'"1 

II  ;/i  \ 

therefore  by  Lemma  3.4.1  will  satisfy  P'  ■  (P  ‘  H)  This  gives  the  folluwing  method 
for  using  locking  to  strengthen  assertions 

Method  3.4.2  (Selectively  Strengthening  Assertions)  Let 

FPO(ll):  {  Q  }cobegin  PO(ro)  PO[t\  |)roend{P} 

be  a  full  proof  outline  for  database  system  57  and  let  P  be  an  assertum  in  one  of  the 
PO(r, ).  To  strengthen  P  to  an  assertion  P'  such  that  P'  ■■  (  P  '  P),  do  the  following 


1.  Choose  Local  Predicates,  (’hoose  a  predicate  LP  local  to  r,  such  that 


ciiid  fi>r  >'rt(  li  tl  y  '  •  ^  clnHiM-  d  [)r»‘dualt*  I  Qj  locctl  li>  ~j  ^ucfi  liidt 

/'  ' «  .  V  ^ 

II  j 1  \ 

1  Guarantee  Exclusion  Invariants.  Id.<-  Mr-thixj  :i  .t  1  !■>  ^tmu^thr-ii  \ 


I  r  IQ, 


iii\dn<int  fur  «-<i(  h  n  ;  *  i  N  I <ik«‘  I’’  /'  A  '  ^  !  Q j 

■I  \ 


I  'IIIX  Mflflixl  {  t  J  lo  tlflp  r'liilllliAtr  ititf  rffTf  III  f  'iv  >flfi  1 1 V  rl  \  '  t  rr  im  t  fir  m  ii  g  ,i> 

■.rrin>n>,  'lur  iiirthoil  for  proving  tfir  >»rrialual)ilit >  of  <t  .jdiiitia.sr  sv  Kirin  Mrifuuj  J  "i  f 
I  an  fir  t ransforuird  into  a  riirthotl  for  ilrrivinR  sv  n<  hroni/ation  tfiat  rii>iirr>  t  is  srr' 
ali/afilr 


Method  3.4.3  (Deriving  Synchronisation  Tor  Serialisability  )  I  '  u 


r  -  w-  .1  , K 


niK  proioi  ol  \  M.Il'.H  tor  ilataf>a.Kr  -.VKtrin  '  If'/ 


II  fi  :  tirti  N 


■>rriali/af)lr ,  lio  thr  following 


Approximate  \,li  .  ('ho«»!»r  an  initial  \rrMon  of  \  anti  niotiiU  a>  nr  r^-.art 
Itl  folltiw  \ 

Define  Shadow  Variables  and  Transactions.  Drhnr  Kliaiiow  variablr>  I  an<i 
shadow  transactions  T  currrsponding  to  thr  variables  I  aiul  anti  iraiisat  tit>ii>  I 


d  Form  Synchronised  Augmented  System,  ('tnistruri  an  auttinrnlrti  svstn 


Derive  Sy  nrhroiiizatiuii.  n; rt-ngr  Kni  ilif  l..<kuiK  (irutiK  ..!  \  .-,>1  ihdl  it  Ix-cutuf's 
(M  i>',i  t>if  ; .  I  .  .  .n  >i  r  IK  t  !  !)»■  ^<iliii,  ful! 

M  ■  r '  i  i  ' 

cobegin  /'(>  ' *  j  •  coend 

,  I  I 

,t  •.  ' .  .  1  I  <  K*  N 

.1  Construct  Sequential  Proof  Outlines.  < 'i.ii>tru;  i  vaJjci  prt»>f  oulhiics 
ri>  'rtU>S'iiK  tiVp<>lhe>r>  Hi  (Uni  M2 

Eliminate  Interference.  (nir  tiwx-thcMs  Ml  rciuditis  luisalisHed,  do  ihe 

'>  •!!>  ■**  I  UK 

h  p 'iiiKTrttr  rtiKi  •  tift  Ik  »  ,iitrrfcr*MK  c  frccili «iii  formula* 

<  'ti"o>.  rti  iiikdii.l  N/  ii.  I  ^•r  1*  III  /’(Jir,  ‘  diui  4  ui  PO(Tj  \  and  do 

•  i-f  ■!  •  tir  *■  mIow  1  iiK 

•  Strengthen  ■>  .  If  po*Mbl«’  (cplair  prr  i  o  i  liy  stronger  asser- 

'lon  pr»  ,1  i'  Mil  ti  that  iprfio  ’  '  1}  I*  valid,  strengthening 

a.->ertion>  that  precede  prviiti'  enough  that  PO[T^)  remains  valid 
a*  r-quireki  f»\  hvpotheM*  Hi  hut  not  enough  that  hypothesis  H2  is 
invalidated  If  hvpotheM*  Ml  and  H2  prohibit  strengthening  prt(a) 
enough  to  eimimate  interference,  use  Metluid  .'1,4.2  to  selectively 
strengthen  pn  i  o  i  without  invalidating  these  hy[)otheses. 

•  Weaken  4.  If  pk»ssible,  replace  .4  by  a  weaker  assertion  .4*  such 
that  the  interference  freedom  formula  {perloi)  '  .4^}o:{.4^}  is  vahd, 
weakening  assertions  that  follow  .4’  enough  that  FO{Tj)  remains 
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valid  as  required  by  hypothesis  Hi  but  not  enough  that  hypoth¬ 
esis  H3  becomes  unattainable.  If  hypotheses  HI  and  H3  prohibit 
weakening  A  enough  to  eliminate  interference,  use  Method  3.4.2  to 
selectively  strengthen  an  assertion  following  A  so  that  A  can  be 
weakened  without  invalidating  these  hypotheses. 

(c)  Check  that  the  resulting  proof  outlines  satisfy  hypothesis  H3. 

5.  Infer  5Z)1(S*).  Using  the  Assertion  Deletion  Rule,  Infer 

5£)1(S*):  {C^V^V} 

cobegin  To*  II-  II  j  coend 

{V=V} 

from  F5Z)1(E*). 

6.  Prove  Termination.  Prove  that  execution  of  S*  terminates  when  started  with 
C  A  U  =  U  true. 


3.5  An  Example 

To  illustrate  use  of  Method  3.4.3  to  derive  locking  protocols  for  serializability,  we 
consider  a  database  system  that  supports  a  simple  banking  application.  In  deriving 
synchronization  for  serializability,  we  will  illustrate  another  point  as  well.  This  example 
was  Brst  used  in  [L76|  to  argue  that  serializability  is  inappropriate  as  a  correctness 
criteria  because  of  the  restrictions  it  imposes  on  concurrency  among  transactions.  We 


will  show  that  choosing  an  equivalence  relation  more  accurately  reflecting  the  semantics 
of  the  banking  application  makes  it  possible  to  derive  a  locking  protocol  that  does 
ensure  serializability  while  at  the  same  time  ensures  a  high  degree  of  concurrency 
among  transactions. 

Database  system  E5  of  Figure  3.1  models  a  simple  banking  application.  Variables 
V5  include  an  array  a[0..^)  that  models  account  balances.  For  j  >0,  array  element 
a[jj  holds  the  balance  of  a  customer  account;  a[0j  holds  the  balance  of  a  dummy  account 
that  is  equal  to  minus  the  sum  of  customer  accounts,  modeling  the  bank’s  flnancial 
obligation  to  its  customers.  This  implies  a  consistency  constraint  that  the  elements  of 
a  sum  to  zero. 

Transaction  tq  models  an  auditor  that  inspects  account  balances  to  determine  if 
funds  have  embezzled.  The  auditor  accomplishes  this  by  copying  account  balances 
into  a  ledger  /  for  inspection  at  a  later  time.  V5  contains  an  array  /[O.-A'^]  modeling 
the  ledger  used  by  the  auditor  to  record  account  balances.  Transaction  tj  models  a 
sequence  of  deposits,  withdrawals  and  transfers.  (A  deposit  to  or  withdrawal  from 
an  account  a[;]  would  be  implemented  by  a  transfer  between  that  account  and  the 
bank’s  account  a[0].)  Here,  is  shown  performing  only  two  such  updates,  to  simplify 
analysis.  To  ensure  that  array  references  by  are  within  o’s  range  of  subscripts,  C5 
bounds  variables  cO,  dO,  cl  and  dl. 

States  equivalent  under  H5  are  those  in  which  corresponding  elements  of  a[0..  A] 
and  variables  cO,  dO,  cl  and  dl  have  the  same  value,  and  in  which  elements  of  /[O-.A) 

sum  to  the  same  value. ^  The  latter  property  of  =5  reflects  that  only  the  sum  of  ledger 

^Tkis  value  is  0  for  consistent  states. 
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E5  =  (V^5,C5,r5,=5), 

K5  =  {a[0. .  Ar],/[0..  A^j,i,c0,<^0,^0,cl,£il,<  l,c/o,c/i), 

C5  =  (^>0A0=  E  a[jl  AO<cO<dO<^AO<cl<<il<  A^), 

75  =  {to,ti}, 

to=AO:  (i,/[0]:  =  0,a[0]); 
dokj(:N  ^ 

Al:  (it,/[it  +  l|:=fc  +  l,a(i  +  l]) 

od; 

A2:  (en</(To)), 

ri  =  TO:  (o[c0],o[<i0]:=a[c0j  +  Z0,a[</0)  -  to); 

Tl:  (o[cll,o[<il]:=a[cll  +  tl,a(<il]-£l); 

T2:  (en<f(Ti)), 

(  V5'  =5  V5") 

^ia'[0..N\  =  a"[0..N]A  E  l'\j]=  E  l"{}\ 

0<><^  0<j<N 

A  cO'  =  cO"  A  do'  =  do"  A  cl'  =  cl"  A  dl'  =  dl"  A  c/q'  =  c/g"  A  cf(  =  c//') 

Figure  3.1:  Database  System  S5  for  an  Idealized  Banking  Application. 

entries  is  significant  in  the  context  of  the  banking  application. 

When  Tg  and  tj  run  concurrently,  it  is  possible  for  TO  or  Tl  in  tj  to  credit  an 
liccount  c  that  has  already  been  recorded  in  /[0..iV]  and  debit  an  account  d  that 
has  not  yet  been  recorded.  If  this  occurs,  then  /[O..A^]  will  not  sum  to  zero  when 
rg  completes,  and  the  auditor’s  ledger  will  incorrectly  reflect  that  funds  have  been 
embezzled.  To  prevent  this,  we  use  Method  3.4.3  to  derive  a  synchronized  system 
(A6,I16)  that  is  serializable. 

First,  we  choose  a  trivial  locking  protocol  A6  with  no  rules  and  add  lock  sets  to  the 
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M6  =  {}, 

LC6  —  true, 

R6^{} 

S6  =  (K6,(76,  J6,=6), 

V6  =  {a{O..N],l[O..N],k,cO,dO,iO,cl,dl,tl,cfQ,cfi,lsQ,Ui), 

C6=  C5 
T6=  T5 
( V6'  =6  1^6") 

^{a'[O..N]^a"{O..N\A  E  /'b]  -  E  /"bl  A  c/o' =  c/»  A  c// =  c//' 

Q<j<N  0<j<N 

A  cO'  =  cO"  A  <i0'  =  </0"  A  cl'  =  cl"  A  dl'  =--  dl"  A  Is'q  =  ls(l  A  ls[  =  /j") 

Figure  3.2:  Synchronized  Database  System  (A6,S6). 

variables  of  S5  to  give  the  synchronized  database  system  (A6,S6)  of  Figure  3.2. 
Next,  we  define  shadow  variables 

F6  =  (o[O..Ar],7[0..fV],fc,cO,dO,tO,cl,dl,n,c/o,c/i,/jo,/ji) 

corresponding  to  those  of  F6,  and  shadow  transactions 


fo=(*,7[0]:  =  0,a[Ol); 

do  i  ^  AT 

(fc,7[*  +  l]:=ife  +  l,a[jfe  +  ll) 


k4 


i 


'JTOrn  v^. : 


S6*  =  (V6‘,C6,T6*,H6), 

V6*=  V6  - K6, 

7’6*  =  {ro*,rf}, 
t^^AO:  (A,/[0l:=0,a(0|); 
dok  ^  N  —> 

Al:  +  1]  :=  ^  +  l,a[t  +  1] ) 

od; 

>12:  (en<f(To);fo) 

Tj*  =  TO:  (a[cO],a(dOj:=o[cO]  +  <0,o[«i0j  - /O); 

Tl:  (a[cl),o(dlj:=a[cl]  +  n,a[<fl]-n); 

12:  (en(/(Ti);fi} 

Figure  3.3:  Augmented  Database  System  S6*. 

Tl  =  (5(r0j,5[d0j;=2(e0]  +  /0,2(d0j-/0); 

{2[cl],a[dl|  :  =  o[cl]  +  <l,a[flfl]  -  tl); 

(end(fi)) 

corresponding  to  tq  and  tj.  With  these  we  form  the  augmented  system  (A6,S6*)  of 
Figure  3.3. 

Next,  we  strengthen  the  locking  protocol  A6  so  that  a  valid  full  proof  outline 
F’5Z?1(S6*)  can  be  constructed  from  which  5D1(S6*)  can  be  inferred.  We  present 
ihe  derivation  of  A6  as  a  succession  of  versions  of  (A6,S6*)  and  F5f)l(S6*).  Each 
version  follows  &om  the  previous  by  a  change  to  the  database  that  makes  progress 
towards  satisfying  the  hypotheses  of  the  cobegin  Rule. 


As  a  proof  outline  for  the  initial  version  (A6,5^*)  of  Figure  3.3  we  construct 
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I  tat  l,S<  J 


F5Z)  1(S6*): 

{  C6A  F6=  ^6} 

cobegin /'O(tq)  ||  PO(t*)  coend 

{a[0...vi  =  a[0..;vi  A  e  /[>1-  E  H;!  a  c/o  =  ^o  a  c/, -c7i 
A  cO  =  cO  A  </0  =  aO  A  cl  =  cl  A  ai  =  ai  A  /50  =  /^o  A  /•»!  -  /j  1  } 
where  PO{tq  )  and  PO{t^  )  are  the  proof  outlines  of  Figures  3.4  and  3.5.  Each  assertion 
of  PO(tq)  and  PO(t^)  contains  the  invariant 

70:  C6Ac0  =  c0Ad0^^At0  =  <0Acl  =  clAdl=dlAa=ri 
A  c/o  =  c/o  A  c/i  =  c/i- 

It  is  easy  to  verify  that  F5Z)1(I)6*)  satisfies  hypotheses  HI  and  H2  of  the  cobegin 
Rule,  so  we  omit  the  details  here. 

Next,  we  enumerate  and  check  the  interference  freedom  formulas.  When  this  is 
done,  we  find  that  N/(T0,posi(A0)),  NI(T0,pre(Al))  and  IV/(  T0,post(  Al))  are  in¬ 
valid  because  TO  can  make  the  conjunct 

0<j<k  k<j<N 

of  the  loop  invariant  TO  false  by  transferring  funds  between  an  account  in  o(0..il:l  that 
has  already  been  audited  and  an  account  in  o(/fe-(-l..N]  that  has  not.  For  the  same 
Reason,  NI{T\,post{A0)),  NI{Tl,pre{Al))  and  NI{T\,post{A\))  are  also  invadid. 

It  is  not  possible  to  weaken  PO  by  deleting  this  conjunct  because  doing  so  would 
make  it  impossible  to  obtain  a  postcondition  post{  P0{tq  ))  strong  enough  to  satisfy  hy¬ 
pothesis  H3  of  the  cobegin  Rule.  Consequently,  we  strengthen  prc(  TO)  and  pre(  Tl). 
Since 


{pre(TO)  A  -(c0lit  <  dO)  A  F0}T0{P0} 


I** 

r«' 


{/OA  E  «[;!=  E  5[;j} 

0<]<N  0<J<N 

>10:  (fc,/[0!:  =  0,a[0]); 

{/0A/»0:  (  V  /[>)-(-  V  a[;))=  r  a[;!} 
0<>s*  t<j<N  Q<T<N 

do  ib  7^  yv  ^ 

{/OA  />0A  ibT^yV} 

Al:  {kj{k  +  l]:^k  +  \,a[k  +  l]) 

{lOAPO} 


{/OA  E  /[;•]=  E  ai;]} 

0<}<N  <i<j<N 
A2:  (cn<i(To);fo) 

{/OA  E  /[;!=  E  7[;1} 

0<7<yv  0<j<N 

Figure  3.4:  Version  1  of  PO{tq). 


PO{t*):  {/OA  A  a[;>a[>l} 

0<j<yv 

TO;  (a[c0),a[</0l:=a[c0]  +  <0,a((/0l-  <0); 

{/OA  A  obi  =  «[;l  ^  “(cO)  =  a[cO]  +  <0  A  aldo]  =  a[<iOl  -  <0} 

Tl:  (a[cl],o[<fl]  :  =  a[cl]  +  <1,af</l]-n); 

{10  A  A  obl  =  ab]  A  a(cO|  =  a(cO)  +  <OA  ofdOl  =  a[dOl -<0 

J^c0,d0,cl,dl  1)11 

Aafcl]  =  o(cl|  +  n  A  a[</ll  =  a(</ll  -  n} 

T2:  (cn</(ri);fi) 

{/OA  A  a[;|  =  obl} 

0<;<Ar 


Figure  3.5:  Version  1  of  TO(rj*). 
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and 

{pre(Tl)  A  -(cl  <  ifc<dl)  A  PO}  nlPO} 

are  both  valid,  interference  by  TO  and  Tl  can  be  eliminated  by  replacing  pre(7’0)  and 
pre(  ri)  by  stronger  assertions  pre{  TO)'  and  pre(  Tl)*  such  that 

pre(  TO)*  ^  (p^(  TO)  A  -(cO  <  i  <  dO)) 

and 

prc(  Tl)*  =;•  (pre(  Tl)  A  -'(cl<A<dl)). 

However,  strengthening  pre(TO)  and  pre(Tl)  in  this  way  would  require  replacing 
prt{PO{rl))  by  a  stronger  assertion  that  implies  both  -(c0<l:<d0)  and  -{cl  < 
k  <  dl).  Since  neither  <76  nor  K6=6  V6  in  pre{FSD\{'S6*))  imply  these  predicates, 
strengthening  pre(TO)  and  pre(Tl)  in  this  way  would  violate  hypothesis  H2.  Conse¬ 
quently,  we  use  Method  3.4.2  to  strengthen  pre{T0)  and  pre(Tl)  selectively. 

To  facilitate  application  of  the  method,  we  introduce  a  Boolean  array  4<[0..A*^]  of 
auxiliary  variables  local  to  Tq  and  another  Boolean  array  /n[0../Vj  of  auxiliary  variables 
local  to  Tj  .  Elements  of  At  are  used  to  indicate  in  the  local  state  of  Tq  the  value  of 

k  at  points  where  assertions  that  are  interfered  with  appear.  This  is  accomplished  by 

»! 

adding  assignments  to  Tq  that  ensure 

A  => 

for  every  assertion  A  in  P0{tq)  that  contains  TO. 

In  a  similar  manner,  elements  of  In  are  used  to  indicate  in  the  local  state  of  Tj 
the  indices  j  in  the  range  c0<j  <  dO  at  the  point  preceding  TO,  and  those  in  the 
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range  cl‘^j<^dl  at  the  point  preceding  Tl.  This  is  accomphshed  by  adding  to 
assignments  that  ensure 

pre{T0)  ^  A  ^"[>1 

cO<j<dO 


pre(Tl)^  A 

cl  <j  <dl 

This  gives  the  second  version  of  (A6,S6*),  where  A6  remains  unchanged  from  Figure  3.2 

and  S6*  is  shown  in  Figure  3.6.  The  proof  outline  for  this  version  is 

FSD  1(S6*): 

{C6A  V6=V6} 

( At[0],/n[0],...,  At[iV],/n[Af|  :=false,...JaUe)\ 

{C76A  F6=V6A  a  a  “'/n[j]} 

0<}<S 

cobegin  PO{tq)  ||  PO(tj  )  coend 

{a[0..N]  =  d[0..N\A  ^  /[;1=  E  %!  A  c/o  =  ^0  A  c/i  - 

0<j<N  0<}<N 

A  cO  =  cO  A  do  —  do  A  cl  =  cl  A  dl  =  dl  A  Isq  =  IsQ  A  Isi  =  /ji  } 
where  PO{tq)  and  PO{t^)  are  the  proof  outlines  of  Figures  3.7  and  3.8. 

With  the  introduction  of  these  auxiliary  variables, 

{pre(T0)A  A  "'i4t[;]  A  A}  7’0{.4} 

c0<j  <  do 


{pre(Tl)A  A  -'i4<(;]  A  i4}  Tl{/1} 
cl<J<dl 

now  are  valid  for  every  assertion  A  containing  PO.  Thus,  we  can  prevent  TO  and  Tl 
from  interfering  with  assertions  containing  PO  by  strengthening  pre(TO)  and  pre(  Tl) 
to  assertions  pre(TO)'  and  pre(Tiy  such  that 
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S6*  =  (1/6*,(76,T6*,H6), 

V6*^  K6  ?6, 

7'6*  =  {To*,rf}, 

=  (>li[0];  =  <rtic); 

AO:  (fc,/[0l:  =  0,a[0]}; 
dok  N  — » 

(  j4<[A  +  1]  ;=  true); 

Al:  (A,/(t  +  l!:=i  +  l,a(4  +  l)); 
{At[k-l\:= false) 
od; 

{At[N]:= false); 

A2:  (end(To);fo) 

Tj  =  (/n[cO],...,/n((fO—  1]  :=  true,.. . ,  true  ); 

TO:  (a[c0l,a(<i0]:=o[c0l  +  /0,a[(f0!  -<0); 
(/ti[c0|,...,/t»[</0-  ll:  =  /o/je,...,/a/3c); 
(/n[clj,...,/n[<^l  —  1);=  true,...,  true); 

Tl:  (a[cl],o[dl]:=a[clI  +  tl,a[dl|-il); 
{In[c\\,...,In\d\-\\:= false,...,  false); 

T2:  (cn<i(Ti);f,} 

Figure  3.6:  Version  2  of  S6*. 
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Al:  (fc,/lfc  +  ll:  =  ife  +  l,a[ib  +  ll); 

{/O  A  A  A  A  ^>l<l;jAPO} 

0<j^k<N 

( .4t  [/fc  -  1)  false ) 

{10AAt[k\A  A  -/!«(;]  A  PO} 


od; 


{/0a>i<(a1a  a  -At{j]A  z  l\j\=  z  51;1} 

0<j<N  0<j<N  0<;£JV 

{At{N]:= false)] 

{10  A  A  -Ai\j]A  T.  /[;■]=  S  a[;l} 

0<J<N  0<]<N  0<j<N 

A2:  (en<i(To);fo) 

[10  A  A  -4i[;lA  E  /[;]=  E  /!;]} 

0<;<^  0<j<N  0<j<A^ 


i 


Figure  3.7:  Version  2  of  PO(tq). 
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{/OA  A  -’/nfj]  A  A  a(>l  =  a[;j} 
o<y<iv 

{ /n[cO],. . . ,  /n[£iO  —  l]  :  =  true,... ,  true)-, 

{/OA  A  /«(>]  A  A  -'/n[>j  A  A  a[;l  =  “[;]} 

cO<.j<(iO  -(cO<;<(iO)  0<j<JV 

TO:  (a[cO],a[</Ol:=a[cO]  +  /0,a[(iO)-iO>; 

{/OA  A  /nOlA  A  ^/n[;|A  A  «[;1  =  “[;1 

c0<j<40  -(cO<j<(fO) 

A  a[cOj  =  a[cOj  +  <0  A  ajdO)  =  a((fOj  -  <0} 

(/T»[cO],...,/n[tiO-l):= faUe ,... ,  false ) ; 

{/OA  A  -'/nL/j  A  A  a[;l  =  2[;) 

0<J<^  }^cO,dO 

A  a[cO]  =  2[c0]  +  <0  A  a[20]  =  2(20)  -  /O} 

( /n  [cl  /n  [21  -  1)  :=  ); 

{/OA  A  /nO!  A  A  ■'/n[;lA  A  = 

cl<j<2l  -'(cl<ji<2l)  ;^c0,20 

A  a[cO]  =  2[c0]  +  <0  A  a[20j  =  2[20]  -  iO} 

Tl:  ( a[cl|,a[21|:  =  a[cl]  +  n,a[21]-n); 

{/OA  A  /n[;|  A  A  -'/«[;]  A  A  a[;]  =  2[;) 

cl<j<<il  -'(cl<j<2l)  7  ^c0,rf0,cl,2l 

A  a(cO|  =  2[c0|  +  <0  A  a[20)  =  2  [20]  -  <0a  a[cl]  =  2[cl]-f-tl 
A  a[2l]  =  2[2l)  —  n} 

( /n[c  1|,...  ,/n[2l  -  1] := false,..., false)-, 

{/OA  A  A  A  a[;]  =  2[;]  A  o[cO]  =  2(c0]  +  iO 

A  a[20|  =  2(20] -  /OA  o[c1]  =  2[c1)  +  <1  A  a[21]  =  2[2l]  -  tl} 
T2:  (en2(Ti);fi) 


{/OA  A  -/n[;|A 
Q<j<S 


A  a[j]  =  a[;]} 

Q<}<N 


Figure  3.8:  Version  2  of  PO(t^). 


pre{  TO)'  ^  ipre{  TO)  A  "'4i[j]) 
for  every  c0<7  <  dO  and 

pre(  Tl)'  ^  (pre(  Tl)  A 

for  every  c  1  <;■  <  dl.  We  do  this  using  Method  3.4.2. 

To  use  Method  3.4.2  to  strengthen  pre(  TO)  with  a  particular  ^Al[i\,  we  must  choose 
a  predicate  LP  local  to  Tj*  such  that 


pre(rO)  =>  LP. 


Since 


pre(  TO)  =>  In[j\ 

for  each  cO<j<  dO,  we  choose  LP  =  In\j\. 

As  the  next  step  of  Method  3.4.2,  we  must  choose  a  predicate  LQ  local  to  Tq  such 


pre(  TO)  =>  {-<At\j\  V  LQ). 


Since 


pre(TO)  =>  (--Atl;]  V  A<[;j) 
tautologically,  we  choose  LQ  =  At\j]. 

As  the  last  step  of  strengthening  p»ie(  TO),  we  strengthen  the  locking  protocol  .\6 
to  guarantee  that 


{ln[j]  A  At[j]) 
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is  invariant.  Following  Method  3.3.2  for  establishing  exclusion  invariants,  we  define 
modes  “/iV[)|”  and  “.47’[jj’’,  strengthen  £C6  so  that 

LC6  =>  -(/ji  2  {^[/.V[j]j} 

and  add  rules  to  R6  that  ensure 

LINj:  In\j]^UiD{i{iNl}\\} 

and 

LATj.  At[j\  =>  UqD 
remain  true. 

Method  3.4.2  is  used  to  strengthen  pre(  T\)  with  ~’j4<L;]  in  a  similar  manner.  Since 
pre(  ri)  =?>  /n[;| 

and 

pre(  ri)  ^  V  .4l[j]) 

for  each  cl  <;  <  dl,  we  choose  LP  —  In\j\  and  LQ  =  Ai\}\.  Strengthening  A6  to  ensure 
that  “'(/«[;]  A  /!<[;))  is  accomplished  exactly  as  before. 

Repeating  for  each  appropriate  value  of  j  the  steps  described  above  for  strength¬ 
ening  pre(TO)  and  pre(ri)  with  results  in  the  third  version  of  A6,  shown  in 

P'igure  3.9.  Since  cO,  dO,  cl  and  dl  are  not  known  in  advance,  we  have  made  the 
modes,  lock  compatibility  constraint  and  rules  of  A6  general  enough  for  any  possible 
V2dues.  The  rules  of  R%  have  been  abbreviated  by  the  invariants  they  require  to  remain 
true. 


A6  =  {M6,LC6,R6), 

M6^{AT[0lIN[0l...,AT[N\JN[N]}, 

^^6  =  o<A^^-'(/«1  2  {^^VL;]]}  ^  ^•’0  3  {^[ATL;1]})> 
R6={LmQ,LATo,...,LINi^,LATf^}. 

Figure  3.9:  Version  3  of  A6. 

Having  strengthened  A6,  we  must  also  modify  S6*  to  ensure  that  it  continues  to 
follow  the  locking  protocol.  The  rules  of  R6  require  each  LATj  to  remain  true,  and 
so  Tq  must  hold  ^[iN\j\\  whenever  In\j\  is  true.  Since  each  At[j\  is  false  before  the 
cobegin,  tq  satisfies  these  rules  initially.  To  ensure  that  Tq  continues  to  satisfy  R6,  we 
add  an  operation  to  acquire  at  the  point  where  A<[j]  becomes  true.  The  rules 

of  R6  also  require  each  LINj  to  remain  true,  which  implies  that  Tj  must  hold  ^[4 TO]] 
whenever  At[jl  is  true.  Since  each  /n[j]  is  false  before  the  cobegin,  Tj  satisfies  these 
rules  when  it  starts.  To  ensure  that  Tj  continues  to  satisfy  them,  we  add  an  operation 
to  acquire  f-[is\j\\  point  where  In\j\  becomes  true. 

Addition  of  these  acquire  operations  requires  that  the  consistency  constraint  C6 
also  be  strengthened  to  ensure  that  transactions  complete  when  started  in  a  consistent 
state.  We  accomplish  this  by  strengthening  the  consistency  constraint  to 

0 

C76^:  C76  A  iiQ  =  fji  =  {}. 

To  ensure  that  they  leave  a  consistent  state  when  started  in  one,  Tq  and  Tj  must  release 
every  lock  they  acquire.  To  promote  concurrency,  we  place  release  operations  to  that 
locks  are  released  as  early  as  possible. 

Since  LATj  is  true  whenever  >!<[;]  is  false,  we  add  operations  to  Tq  to  release  each 
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^[v4ri;ll  point  where  At\j\  becomes  false.  Likewise,  we  add  operations  to  Tj’  to 

release  each  ^[/^[j]]  the  point  where  /n(j]  becomes  false.  This  gives  the  third  version 
of  S6*  in  Figure  3.10  and  completes  the  third  version  of  (A6,S16*).  The  proof  outline 
for  this  version  is 

F5Z?1(S6*): 

{  C6'  A  F6  -  F6} 

( 4<[0],/n[0l,...,>lt[A/’],/n[A/'l:=/a/je,...,/a/3e); 

{ C6^  af6=F6a  a  [y]  A  ~’/n[y  ] } 

0<J<^ 

cobegin  P0{tq)  ||  PO(tj*)  coend 

{a[0..N\^a[0..N]A  E  /[>]  =  E  /(;]  A  c/o  =  ^0  A  c/i  = 

Q<j<N  0<}<N 

A  cO  —  cO  A  do  —  do  A  cl  =  cl  A  dl  =  dl  A  Isq  —  Isq  A  Isi  =  Is i} 
where  P0{tq)  and  P0(tj  )  are  the  proof  outlines  of  Figures  3.11  and  Figure  3.12.  Each 
assertion  of  PO(tq)  and  P0(tj  )  contains  the  stronger  invariant 

II:  Ce'  A  c0  =  cb  A  d0  =  ^  A  t0  =  to  A  cl  =  ^  Adi  =  ri  A  tl  =  tl 

A  c/o  =  c/o  A  c/i  =  c/i  A  Uq  =  lsi  =  {} 

A  A  LINj  A  A  LATj. 

0<j<N  0<j<N 

When  the  interference  freedom  formulas  are  enumerated  and  checked  again,  we  find 
every  formula  Af/(a,i4)  to  be  valid.  Thus,  P5Z?1(I)6*)  satisfies  hypothesis  H4  of  the 
cobegin  Rule.  We  have  been  careful  to  preserve  hypotheses  Hi  and  H2,  and  it  is  e&sy 
to  verify  that 

{postiPOirS))  A  post{PO{T^)))  post{FSD\{^*)) 

as  required  by  hypothesis  H3.  Thus,  F5/?1(S6*)  is  valid. 

As  the  next  step  of  Method  3.4.3,  we  must  infer 


; 


-  -  - -  - 


E6*  =  (V^6*,C6',T6*,=6), 

V6*=  K6- V^, 

C6'  =  C6A  IsQ  =  Isi  =  {}, 

Tq  -  (acq(/[^yjQj]);>li[0]:  =  ^r«e); 

>10:  (A,/[0|:  =  0,a[0l); 

do  ib  7>  ^  ^ 

(acq(l^ATlk+l]});^il^  +  lj:=  true); 

Al:  (i,lli  +  lj:=k  +  l,alk  +  lj); 

(Atlk- 1]  :=/a/ie;rel(«(^y(4_  ,j])} 
od; 

.42:  (en<i(To);fo) 

Ti*  =  1]:  =  true,..., /rue); 

TO:  (a[c0],a[<i0|:  =  a[c0|  +  t0,a[(f0]-t0>; 

(/n[cOl,...,/n[dO-l]:=/a/3e,...,/a/3e;rel(;[/yv[,ol]>---.V^['iO-ll]))! 

(acq(/[/^[ci]],...,^[;^|jl_j)]);/n[cll,...,/n[«fl  -  1]:  =  true,..., true); 

Tl:  (a[cl],a(</l]:  =  a[cl|  +  tl,o[(il]-tl); 

(/n[cl],...,/n[<tl-l]:=/a/jc,...,/a/3e;rel(;[;;y[^l]],...,£[^^jjj_jjj)); 

T2:  {end(Ti);fi) 


Figure  3.10:  Version  3  of  S6*. 


5D  1(S6*);  {C6a  V'6  =  V'6} cobegin  tq  ||  tj*  coend{V'6=6  i'6} 

from  F5D1(S6*).  This  is  accomplished  by  first  applying  the  Assertion  Deletion  Rule 
to  obtain 

{C76A  V6=T^} 

/n  [0] ,  .4  /  [0] , . . . ,  /n  [  iV  I ,  /I  /  [  iV ) :  —false , . . .  Jalse\ 

cobegin  Tq  ||  t*  coend 

and  then  applying  the  Auxiliary  Variable  Deletion  Rule  to  delete  eissignments  to  ele¬ 
ments  of  In  and  At. 

Finally,  we  must  prove  that  execution  of  S6*  terminates  when  started  with  C6  A 
V6  =  V6  true.  To  do  this,  we  use  Lemma  2.4.2,  which  states  that  under  the  assumption 
that  concurrent  execution  of  transactions  is  weakly  fair,  execution  of  S6*  will  terminate 
if  the  following  two  conditions  are  satisfied. 

Tl.  Every  execution  of  S6*  consists  of  a  bounded  number  of  atomic  operations. 

T2.  As  long  as  execution  of  E6*  hits  not  terminated,  there  is  at  least  one  enabled 
atomic  operation. 

Theorem  3.5.1  When  started  with  C6  A  V'6  =  V'6  true,  execution  of  S6*  satisfies  con¬ 
ditions  Tl  and  T2.  □ 

Proof  of  Theorem  3.5.1  Note  that  the  number  of  iterations  of  the  loop  in  rj  is 
bounded  by  N .  Since  every  other  operation  is  executed  as  most  once,  execution  of  Efi* 
satisfies  condition  Tl. 


Suppose  that  execution  of  E6*  has  not  terminated.  There  are  three  possibilities: 
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PO(ro*): 

{/OA/3o  =  {}A  a  ^  a'j]^  V  ai;'} 

0<j<N  0i_7ajV 

(acq(/[^j,[0]]);4<[0]:  =  <rtic}; 

{/OA /3o  =  {^[47[0]]}A  >1<[01  A  A  -.4/!;' A  V  a[;)=  ^  5[;]} 

0<;'_/V  0^;<iV  0<;^^ 

AO:  {k,l\0\:  =  0,a[Q]y, 

{/O  A /jQ  =  {^[47'[4||}  A  4<[i]  A  A  ^•4i[;l 

0<j  ^tv 

APO:  (  E  /[;]+  E  a[j|)=  E  o[;!} 

*<JS^  O^jv/V 

do  i  7^  iV 

{/OA /3o-{/[^j[t|]}A  4<(fc]  A  A  -/!<(;]  A  PO  A /bT^iV} 

0'_j ^iv  A/ 

(®c<i(^(/ir[4+ij])M<(*  +  ); 

{/OA /ao  =  {^[47'[i||,/[^7'[4+l]]}A A  A  A  A  PO 

aAt^  yV} 

/ll:  (/fc,/[ifc  +  lj:  =  ifc  +  l,a[ifc  +  l|>; 

{/O  A /jQ  =  A  ,4^1*  -  1]  A  /!<[*)  A  A  -4t[;|APO} 

0<j/t<  A/ 

(.4<[t-  ll:  =  /a/ieirel(/[^jH_,|j)) 

{/OA /jo  =  {f4r(*l]}A  A  A  -/l/(;|APO} 


{/OA /,0  =  {A4j[;vi|}a  A  A  ■'.4<!;!a  v  /{;j^  v  «[;!} 
(>ltliV]:=:/a/je;reI(<[^,(yV|])); 

{/OA/JO  =  {}A  A  ->1<L;1a  V  l\j\^  V  a[;]} 

0<j<Af  0<j<N  0-  N 

-42;  (en«/(To);fo) 

{/0a/50  =  {}a  a  -At[j\A  V  /[j]^  V  /I;!} 

Ot}<N  0_;-  .V  0  ;  -V 


Figure  3.11;  Version  3  of  PO(tq). 
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PO{r{) 


{/0a/ji-{}a  I\  -'/nijl  a  ^  a'j'-d^j^} 

i®cq(^[/yv[c0)|>  -i^[/A/[<<0  -  V  :  =  true,...,true  }; 

{/O  A  =  {/[/yvitoii.  •»^/^l<io-i|i}  A  A  /«!;!  A  A  -/nl;! 
A  A  a[;l  =  a!j|} 

rO:  /a[cO|,a[<iOi  :=  <»[cOj  +  tO,aldOj  -  tO); 

{/O  A /ji  =  {A/yVf^Oi],...,A/)vMO-l||} A  /«(>]  A  A 

cO_j<iiO  -^(cO'_j  <  JO) 

A  A  a[;|  =  5[;]  A  a[cO|  =  a[cO]  +  <0  A  a[«fOj  =  a[JOj  -  <0} 

j^cO,JO 

(/n[cOj,...,/n[</0-lj:  =  /a/je,...,/a/je;rel(/[/jv[^Oj],.../[/^[^0_,jj)); 

{/OA/ji={}A  a  A  A  oj;]  =  a];]  A  a[cO]  =  a|cO) -I- <0 

0<J<^  J^cO.JO 

A  a[</0|  =  a[</0l  -  <0} 

{ /o  A /ji  =  A  A  /n[;l  A  A 

”'(cKj<  <<1) 

A  A  o[;]  =  a(;l  A  a(cOl  =  a[cOl  +  <0  A  a(dO)  =  o[d0]  -  <0} 

7/c0,rf0 

71:  (a(cl],a((il]:=a(cl)4-n,o|(il)  -  <1); 

{/O  A /Ji  =  A  /n[jjA  A 

A  A  o[; j  =  o[)l  A  o(c0!  =  olcO!  +  to  A  oidOj  =  ojdOj  -  10 
Aalcll  =  o(cl]  +  tl  Aa(<tl]  =  o|<il|-ll} 

{/0A/ji  =  {}A  A  ^/w1;1a  a  = 

o<j^\ 

72:  (eTid(Ti);fi) 

{/0a/ji  =  {}a  a  a  a  o';l  =  a!;i} 

o<j<Jv  0-  j  y 


Figure  3.12:  Version  3  of  70(r*). 


•  One  of  Tq  or  Tj  has  reached  an  operation  S,  that  is  not  an  acquire  operation. 

•  One  of  Tq  or  Tj*  has  reached  an  acquire  operation  5,  and  the  other  has  terminated. 

•  Both  Tq  and  Tj  have  reached  acquire  operations  5,  and  Sj. 

Assume  the  first  case.  Since  F5D  1(116*)  is  valid,  pre(S,)  will  be  true  when  5,  is 
reached.  For  every  5,  in  F5Dl(E6*)  that  is  not  an  acquire  operation, 

pre(5j)  «>p(5,,true). 

Thus,  5,  is  enabled. 

Assume  the  second  case.  Since  both  transactions  release  every  lock  they  acquire, 
the  lock  set  of  the  terminated  transaction  will  be  empty.  This  implies  that  the  acquire 
operation  5,  is  enabled. 

Assume  the  last  case.  Without  loss  of  generality,  assume  that  5,  is  an  operation  of 
Tq  and  Sj  is  an  operation  of  Tj  .  Note  that  the  lock  set  of  Tj  is  empty  when  an  acquire 
operation  in  Tj*  has  been  reached.  This  implies  that  5,  is  enabled. 

In  each  case,  at  least  one  operation  is  enabled.  Thus,  116*  satisfies  condition  T2.  □ 

Thus,  database  system  (A6,I16)  of  Figure  3.13,  obtained  by  deleting  auxiliary  and 
shadow  variables  from  {A6,5j6*),  is  serializable. 

3.6  Discussion 

3.6.1  Comparing  Locking  Protocols 

Database  system  locking  protocols  are  usually  specified  operationally.  Lock  modes 
typically  correspond  to  the  types  of  operations  from  which  transactions  are  constructed 


and  the  compatibility  relation  typically  specifies  that  modes  associated  with  operations 
of  a  given  type  are  exclusive  when  the  outcome  of  transaction  execution  is  influenced  by 
the  order  in  which  operations  of  this  type  interleave.  Rules  for  acquiring  and  releasing 
locks  almost  always  require  a  transaction  to  hold  a  lock  when  executing  an  associated 
operation. 

In  contrast,  the  locking  protocols  derived  using  the  method  of  this  chapter  are  spec¬ 
ified  assertionally.  Lock  modes  correspond  to  predicates  about  the  system  state,  and 
lock  compatibility  relations  forbid  different  transactions  from  simultaneously  holding 
locks  when  the  associated  predicates  should  not  be  simultaneously  true.  Rules  for  ac¬ 
quiring  and  releasing  locks  enforce  a  coupling  between  the  state  of  a  transaction  and 
the  set  of  locks  it  holds  by  requiring  a  transaction  to  hold  a  lock  with  a  given  mode 
whenever  the  associated  predicate  is  true. 

3.6.2  Locks  and  Local  State 

Locking  protocols  derived  using  Method  3.3.2  associate  the  locks  held  by  a  transaction 
T,  with  its  local  state  through  rules  that  require  invariants  of  the  form 

IW: 

|o  remain  true.  Since  no  other  transaction  can  modify  the  local  state  of  r,  or  change 
the  contents  of  its  lock  set,  the  requirement  that  LP  is  local  to  r,  ensures  that  LPI 
is  not  interfered  with.  This  property  simplifies  the  task  of  synchronizing  t,  so  that 
LPI  remains  true.  In  addition,  this  property  makes  Method  3.3.2  appropriate  for  syn¬ 
chronizing  transactions  to  eliminate  interference,  since  it  avoids  introducing  additional 
interference  in  the  process. 


Section  3.5  demonstrated  that  the  search  for  appropriate  local  predicates  required 
when  using  Method  3.4.2  to  strengthening  assertions  can  lead  to  introduction  of  local 
auxiliary  variables  to  capture  relevant  properties  of  the  local  state  of  transactions. 
While  this  may  seem  somewhat  cumbersome,  it  does  tend  to  make  explicit  the  points 
at  which  locks  should  be  acquired  and  released. 


Chapter  4 

Concluding  Remarks 

4.1  Summary  and  Discussion 

This  dissertation  has  addressed  two  fundantental  problems  that  arise  in  the  context  of 
database  systems:  the  characterization  of  serializability  and  the  construction  of  locking 
protocols  to  synchronize  concurrently  executing  transactions.  In  contrast  to  the  use 
of  operational  reasoning  that  has  dominated  previous  research  on  these  problems,  we 
have  used  assertional  reasoning  to  analyze  the  semantics  of  concurrent  execution  of 
transactions.  As  a  result  of  this  effort,  we  have  been  able  to  apply  to  database  systems 
the  tools  and  techniques  that  have  been  developed  for  re£isoning  assertionally  about 

t 

'more  general  types  of  concurrent  programs.  This  has  lead  to  insight  into  semantics 
of  serializability,  provided  new  methods  for  specifying  and  proving  the  serializability 
of  database  systems,  and  suggested  new  ways  of  constructing  locking  protocols  for 
database  synchronization. 

In  Chapter  2,  we  presented  a  formal  definition  of  serializability.  .A  unique  feature 
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of  this  definition  is  an  equivalence  relation  with  which  final  states  reached  by  schedules 
are  compared.  The  equivalence  relation,  which  can  be  derived  from  the  application 
supported  by  the  database,  makes  explicit  the  way  in  which  the  effects  of  different 
schedules  are  reflected  in  the  system  state.  It  does  this  by  partitioning  the  set  of 
systems  states  into  equivalence  classes,  each  containing  states  that  are  indistinguishable 
by  the  supported  application.  The  inclusion  of  this  relation  as  a  parameter  of  the 
definition  can  be  viewed  as  a  generalization  of  previous  definitions,  which  make  implicit 
assumptions  about  aspects  of  the  system  state  that  are  relevant. 

Our  initial  characterization  of  serializability  shared  with  previous  ones  the  property 
that  the  serializability  of  a  database  system  is  defined  in  terms  of  the  seriahzability  of 
each  of  its  possible  schedules.  Because  of  the  potentiadly  enormous  number  of  different 
schedules  possible  in  a  typical  database  system,  it  also  shares  with  previous  definitions 
the  property  of  limited  utility  as  a  practical  basis  for  verifying  the  serializability  of 
database  systems.  For  this  reason,  we  turned  to  proof  outlines  to  obtain  a  more  useful 
characterization  of  serializability. 

Proof  outlines  provide  a  way  to  reason  formally  about  a  concurrent  program  with¬ 
out  considering  every  possible  interleaving  of  its  operations.  We  presented  two  char¬ 
acterizations  of  serializability  in  terms  of  proof  outlines.  The  first  was  equivalent  to 
our  original  definition;  the  second  was  strictly  weaker,  specifying  a  property  that  only 
implied  serializability  under  the  original  definition.  Translation  of  serializability  into 
proof  outlines  was  made  possible  using  shadow  variables  and  transactions  to  model  se¬ 
rial  schedule  behavior  in  the  system  state.  Our  two  characterizations  of  serializabihty 
with  proof  outlines  differ  concerning  how  these  shadow  variables  and  transactions  were 
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used  to  accomplish  this. 

Our  first  characterization  of  serializability  with  proof  outlines  used  shadow  trans¬ 
actions  within  assertions  to  specify  the  set  of  states  reachable  by  serial  executions 
of  a  database  system.  This  necessitated  a  proof  outUne  with  a  postcondition  of  size 
proportional  to  the  number  of  different  serial  schedules  for  that  system.  This  num¬ 
ber,  though  smaller  than  the  number  of  all  types  of  schedules,  can  be  large  enough  in 
many  situations  that  the  proof  outlines  used  to  specify  and  prove  serializability  grow 
unwieldy. 

Our  second  characterization  of  serializability  avoided  this  problem  by  moving  the 
shadow  transactions  from  assertions  into  transactions  themselves,  where  they  run  se¬ 
rially  along  side  other  transaction  operations.  This  makes  it  possible  to  characterize 
serializability  with  simpler  assertions,  because  serial  behavior  is  captured  implicitly  in 
the  state  of  the  shadow  variables  as  the  shadow  transactions  run. 

Our  use  of  proof  outlines  to  characterize  serializability  provides  not  only  a  way  to 
characterize  and  reason  €issertionsdly  about  serializability,  but  also  provides  a  frame¬ 
work  in  which  synchronization  to  ensure  serializability  can  be  derived  from  the  proof 
outlines  that  specify  it.  We  explored  this  possibility  in  Chapter  3,  where  we  described  a 
method  for  deriving  locking  protocols  for  database  systems.  Our  method  is  built  upon 
an  assertional  characterization  of  locking:  locks  are  associated  with  predicates  on  the 
system  state  and  lock  compatibility  is  induced  by  restrictions  on  configurations  of  states 
during  concurrent  execution  of  transactions.  This  is  different  from  the  traditional  view 
of  locking,  in  which  locks  are  associated  with  operation  types  and  lock  compatibility 
is  motivated  by  restrictions  on  the  types  of  operations  that  can  run  concurrently. 
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Tsirig  our  method,  locking  protocols  are  derived  using  full  proof  outlines  for  trans¬ 
actions.  Since  full  proof  outlines  contain  assertions  before  and  after  each  operation, 
information  about  the  context  in  which  operations  run  is  available  while  deriving  syn¬ 
chronization.  This  information  can  be  used  to  identify  those  interleavings  of  operations 
that  do  not  violate  serializability,  and  incorporated  into  the  derived  locking  protocol 
to  increase  concurrency  among  transactions  that  follow  it.  Locking  protocols  derived 
operationally  are  not  able  to  capitalize  on  such  information. 

4.2  Topics  for  Further  Research 

In  our  database  system  model,  we  have  assumed  that  database  systems  execute  a  fixed, 
finite  number  of  transactions  concurrently.  Such  a  model  is  appropriate  for  special 
purpose  databases  that  support  applications  in  which  the  set  of  transactions  necessary 
can  be  determined  in  advance.  It  is  not  as  appropriate  for  systems  in  which  new 
transactions  are  introduced  and  executed  as  time  passes.  Further  research  is  needed  to 
determine  the  extent  to  which  the  results  of  this  dissertation  can  be  applied  to  these 
types  of  database  systems. 

Serializability  is  an  instance  of  a  type  of  virtual  atomicity  that  appears  in  areas  of 
concurrent  programming  other  than  database  systems.  An  example  of  one  such  situ¬ 
ation  is  described  in  [HW86|,  where  concurrent  processes  access  instances  of  abstract 
datatypes  by  invoking  abstract  operations.  To  simplify  the  design  of  processes  in  such 
systems,  processes  are  constructed  under  the  assumption  that  individual  abstract  oper¬ 
ation  invocations  run  atomically.  When  abstract  operations  run  concurrently,  however, 
the  operations  from  which  they  are  composed  can  interleave  to  violate  these  assump- 


tions.  To  prevent  this,  abstract  operations  are  synchronized  to  guarantee  a  property 
called  linearxzability  that  ensures  every  concurrent  execution  is  equivalent  to  one  in 
which  abstract  operations  run  indivisibiy.  Analysis  of  linearizability  and  other  situa¬ 
tions  requiring  virtual  atomicity  is  warranted  to  see  if  the  assertional  tools  developed 
in  this  dissertation  are  useful. 
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Appendix  A 

Axioms  and  Inference  Rules  of 
Proof  Outline  Logic 

skip  Axiom. 

{  72 }  skip  {R} 

Assigment  Axiom. 

Let  z  —  xq,.  . .  ,Xfif  be  a  vector  of  simple  variables  (i.e.  not  elements  of  records  or 
arrays)  and  let  e  =  eo,...,e;y  be  a  vector  equal  in  length  to  x  of  expresions  in 
which  the  types  of  each  ej  and  x^  are  the  same. 

{Rf}x:^e{R} 
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Acquire  Axiom. 

For  acq(^(^j,...,/[^^|)  an  acquire  operation  in  r,, 

. 'Kl'" 

{«} 

Release  Axiom. 

For  rel(/[^],...,/[^^])  a  release  operation  in  t,, 

. 'Kl)» 

{«} 

Statement  Composition  Rule. 

{P}so{Q}AQ}si{R} 

{P}S0AQ}Sl{R} 


if  Rule. 


(go  A  (?}50{/Z},...,{gn  A  (?}5n{iZ} 

{Q} 

if  go  -  {go  A  (?}50{g} 

ggn  -  (gn  A  (?}Sn{g} 


do  Rule. 


{go  A  /}50{/},...,{flT>  A  I}Sn{I} 

{/} 

do  go  -  {g0A/}50{/} 

Qgn  ^  (gn  A/}5n{/} 
od 

{/A~'gOA...A  -ign} 

Rule  of  Consequence. 

{Q}S{R},Q'  ^  Q,R^  R' 

{Q'}S{R'} 

Assertion  Deletion  Rule. 

Let  S"  be  the  result  of  deleting  one  or  more  assertions  from  annotated  program 

S'. 

{Q}S'{R) 

{Q}S"{R) 

Atomicity  Rule. 

{Q}S'{R} 

{Q}{S'){R} 

Auxiliary  Variable  Deletion  Rule. 

Let  i4K  be  a  set  of  auxiliary  variables  in  annotated  program  5  and  let  5  |  jpr  be 
the  annotated  program  obtained  by  deleting  from  5  all  assignments  to  variables 
of  AV .  If  Q,  R  and  the  assertions  of  5  do  not  mention  any  variable  \n  AV ,  then 


cobegin  Rule. 


Let  POQ,...,POf^  be  full  proof  outlines  (ones  in  which  at  least  one  assertion 
preceeds  and  follows  each  atomic  operation.)  Define  a  II  .4  if  and  only  if  a  is  an 
atomic  operation  in  one  proof  outline  PO,  and  .4  is  an  assertion  in  another  proof 
outline  POj. 

^0;  P0q,...,P0;^_i, 

HI:  ^  (prc(POo)  A  ...  A  pre(P0^_,)), 

H2:  (pojl(POo)  A  ...  A  pojt(POyv-i))  =?•  P, 

//3:  (Va,/1:  a  ||  A:  NI{a^A):  {pre(a)  A  ^}a{/l}) 

{Q}cobegin  POq  ||  POi  ||  ||  POjv-i  coendfP} 


\r^  vv  '-rm'm 


Appendix  B 


The  Weakest  Precondition 


Predicate  Transformer 


The  weakest  precondition  of  S  with  respect  to  R,  denoted  wp{S^R),  represents  the 
set  of  all  states  such  that  execution  of  5  begun  in  any  one  of  them  is  guaranteed  to 
terminate  in  a  finite  amount  of  time  in  a  state  satisfying  R  [G81].  wp  satisfies  the 
following  properties. 

Law  of  the  Excluded  Miracle. 

u;p(  5 ,  false )  =  false . 

Distributivity  of  Coigunction. 

{wp{S,Q)  wp{S,R))^  v)p(S,Q  A  R). 
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Law  of  Monotonicity. 

If  ^  ^  iZ  then  wp(S,Q)  wp{S,R). 

Distributivity  of  Disjuntion. 

{wp{S,Q)  V  ti;p(5,ft))  ^  v>piS,Q  V  R). 

Distributivity  of  Disjuntion  for  Deterministic  5. 

{wp{S,Q)  V  wp{S,R))<;^wp{S,Q  R). 

skip  Axiom. 

ti»p(skip,^)  =  R. 

Assignment  Axiom. 

Let  J  =  ZQ,...,Xfi/  be  a  vector  of  simple  variables  (i.e.  not  elements  of  records  or 
arrays)  and  let  e  =  eo,...,c^  be  a  vector  equal  in  length  to  x  of  expresions  in 
which  the  types  of  each  Cj  and  *,  are  the  same.  Define  DOM{eQ,..  .,e^)  to  be 
the  predicate  that  describes  the  set  of  all  states  in  which  each  e,  is  well-defined. 


wp{xo,...,Xff  :=eo,...,c^,ft)  =  DOM  {eo,. . .  ,e]^)  A 


if  Rule. 


Let  IF  denote 
ifBo  ^  Sq 

UBn  — 

fi 

and  let  BB  denote 


5o  V  5i  V  •  •  •  V  Bn- 


wp{IF,R)  =  {DOMiBB)  A  BB  A  /\ 

0<j<N 


do  Rule. 

Let  DO  denote 


do  Bq  — ►  Sq 

DBi  -5i 


UBn  Sff 

od 

and  let  BB  denote 


=>  wp{S,,R) 


Bo  V  Bi  V  •••  V  Bn. 


"ki^)  =  ^o(^)  V  wp{IF,Hi^_i{R)) 
for  ib  >  0. 

wp{DO,R)  =  {3k:  0<k:  H^iR)). 


Composition  Rule. 


wp{SUS2,R)  =  wp{Sl,wpiS2,R)). 
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